Java analysis detects more XXE vulnerabilities

Hello Java developers,

The Java analyzer was updated to detect more XXE vulnerabilities and it allows to follow the OWASP recommendations described in the OWASP XML External Entity Prevention Cheat Sheet.

The accuracy of the XXE detection rule was improved (better issue locations, less FPs) and it now covers “org.jdom2.input.SAXBuilder” and “org.dom4j.io.SAXReader” APIs.

Finally, we added 2 new security rules related to authentication and permission.

Vulnerability Detection:

  • S2755: XML parsers should not be vulnerable to XXE attacks (Blocker)
  • S5679: OpenSAML2 should be configured to prevent authentication bypass (Major)

Security Hotspot Detection:

  • S2612: Setting loose file permissions is security-sensitive

For more information, you can check the changelog.

These features are already available on SonarCloud, and will be included in SonarQube 8.3. If you can’t wait, you can already install the v6.2 of the Java analyzer from the Marketplace.

Alex