[JAVA] False Negative S2755

Hi,
I am currently working on updating my SonarQube server.
I was using SonarQube 7.8, and the maven 3.9 plugin.
The vulnerability found was S2755 which corresponds to an XXE vulnerability.


(SONARQUBE 7.8)

I scanned my code with my new serv SonarQube 9.4 and the vulnerability is no more raised while the code hasn’t been changed

    protected boolean validationXSDPivot(InputStream inputStream, String xsi) {
        try {

            SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);//Non-Compliant
            ApiProperties.Urls urls = apiProperties.getUrls();
            String urlXsdPivotInvoice = urls.getUrlXsdPivotInvoice();
            String urlXsdPivotExtendedInvoice = urls.getUrlXsdPivotExtendedInvoice();
            String schemaToUse = urlXsdPivotInvoice.contains(xsi) ? urlXsdPivotInvoice : urlXsdPivotExtendedInvoice;

            Schema schema = schemaFactory.newSchema(ClassLoader.getSystemClassLoader().getResource(schemaToUse));

            Validator validator = schema.newValidator();
            validator.validate(new StreamSource(inputStream));
            return true;
        } catch (IOException e) {
            log.error("Exception", e);
            return false;
        } catch (SAXException e) {
            log.error("XSD validation failed", e);
            return false;
        }
    }

The same rule S2755 still exists in sonar9.4,


(SONARQUBE 9.4)
Do not hesitate to answer me, I have been looking for a solution for several hours.
Thanks

Hey there.

Please make sure to read this post:

Specifically, we are missing a reproducible code/project sample (that is not a screenshot).

1 Like

it’s done, tell me if it’s not correct

Hello @Zorxi

Since SonarQube 7.8, we reworked this rule almost completely, you should expect different behavior.
That being said, we obviously did it to improve the quality of the results, having new false negatives is not expected.

The good news is that I tested your code on my side, and the issue is correctly reported.
I suspect that your analysis on SonarQube 9.4 was not correctly configured. You should have a look at the logs of the analysis, to see if everything went as expected. Maybe you are missing the binaries of dependencies?

Best,
Quentin

1 Like

Hi thanks for your answer, actually I’m working in a Maven project. In Java | SonarQube Docs it is said that the property for Maven users sonar.java.binaries is not necessary.
I’m only using Sona-way built-in Rules

I don’t know why but it seems that this rule is not in any QualityProfile


(SonarQube 7.4)

(SonarQube 7.4 in a docker container)

The rule is inactive, but I don’t know why.
I activated it, it still not flaged ass issue.

image
image

Any idea ?

I activated it, it still not flaged ass issue.

Could you double-check that the quality profile used for the analysis is the one where the rule is enabled?
In addition, are you really referring to SonarQube 7.4? Or is it SonarQube 9.4?

Sorry for that,

I changed my version of SonarQube7.4 to 8.9 LTS.
The quality profile used was Java

I created another profile to activate rules that were deactivated in SonarWay;


I re-ran an analysis and now it’s working well, the flag is raised.

Thank you for your help, I hope i didn’t waste your time too much.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.