Issue with SonarQube Not Detecting XXE Vulnerabilities in Certain Files

Hi,

We are experiencing an issue with SonarQube not detecting XXE (XML External Entity) vulnerabilities in some of our files. We have scanned our repositories for security vulnerabilities, and while SonarQube identified many instances of XXE in various files, it has ignored some files despite the XML parser calls being the same.

Example

In the following code snippet, SonarQube did not identify the vulnerability whereas the same code has been highlighted as vulnerable in other files.

final TransformerFactory transfac = TransformerFactory.newInstance(); // NOT IDENTIFIED AS VULNERABLE BY SQ

The quality gate rule related to XXE vulnerabilities is java:S2755, but there is limited information available about the pattern matching criteria for this rule.

Could you please provide guidance on why SonarQube might be missing these vulnerabilities and how we can ensure that all instances of XXE vulnerabilities are detected? Any insights into the pattern matching criteria for rule java:S2755 would be greatly appreciated.

Thank you for your assistance.

Hey there.

Thanks for the report. This seems to match an existing false-negative, SONARJAVA-4293. Can you confirm?

For what it’s worth, the code for this rule is available on GitHub! But it’s not as simple as pattern matching.

Hi, Thank you for the prompt response. SONARJAVA-4293 seems to be an old issue. Do you have any plans to fix?

It’s in the backlog, but no ETA. I’ve linked your thread to the ticket, which helps when we decide what we should prioritize when fixing bugs.