[JAVA] False Negative S2755

Clean Code Report False-positive / False-negative...
, ,
1

Hi,
I am currently working on updating my SonarQube server.
I was using SonarQube 7.8, and the maven 3.9 plugin.
The vulnerability found was S2755 which corresponds to an XXE vulnerability.

image
image1900×393 31.3 KB

(SONARQUBE 7.8)

I scanned my code with my new serv SonarQube 9.4 and the vulnerability is no more raised while the code hasn’t been changed

    protected boolean validationXSDPivot(InputStream inputStream, String xsi) {
        try {

            SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);//Non-Compliant
            ApiProperties.Urls urls = apiProperties.getUrls();
            String urlXsdPivotInvoice = urls.getUrlXsdPivotInvoice();
            String urlXsdPivotExtendedInvoice = urls.getUrlXsdPivotExtendedInvoice();
            String schemaToUse = urlXsdPivotInvoice.contains(xsi) ? urlXsdPivotInvoice : urlXsdPivotExtendedInvoice;

            Schema schema = schemaFactory.newSchema(ClassLoader.getSystemClassLoader().getResource(schemaToUse));

            Validator validator = schema.newValidator();
            validator.validate(new StreamSource(inputStream));
            return true;
        } catch (IOException e) {
            log.error("Exception", e);
            return false;
        } catch (SAXException e) {
            log.error("XSD validation failed", e);
            return false;
        }
    }

The same rule S2755 still exists in sonar9.4,

image
image1068×566 28 KB

(SONARQUBE 9.4)
Do not hesitate to answer me, I have been looking for a solution for several hours.
Thanks

2

Hey there.

Please make sure to read this post:

Specifically, we are missing a reproducible code/project sample (that is not a screenshot).

1 Like
3

it’s done, tell me if it’s not correct

6

Hello @Zorxi

Since SonarQube 7.8, we reworked this rule almost completely, you should expect different behavior.
That being said, we obviously did it to improve the quality of the results, having new false negatives is not expected.

The good news is that I tested your code on my side, and the issue is correctly reported.
I suspect that your analysis on SonarQube 9.4 was not correctly configured. You should have a look at the logs of the analysis, to see if everything went as expected. Maybe you are missing the binaries of dependencies?

Best,
Quentin

1 Like
7

Hi thanks for your answer, actually I’m working in a Maven project. In Java | SonarQube Docs it is said that the property for Maven users sonar.java.binaries is not necessary.
I’m only using Sona-way built-in Rules

I don’t know why but it seems that this rule is not in any QualityProfile

image
image1371×649 39.4 KB

(SonarQube 7.4)
image
image1590×784 51.7 KB

(SonarQube 7.4 in a docker container)

The rule is inactive, but I don’t know why.
I activated it, it still not flaged ass issue.

image
image

Any idea ?

8

I activated it, it still not flaged ass issue.

Could you double-check that the quality profile used for the analysis is the one where the rule is enabled?
In addition, are you really referring to SonarQube 7.4? Or is it SonarQube 9.4?

10

Sorry for that,

I changed my version of SonarQube7.4 to 8.9 LTS.
The quality profile used was Java

image
image1361×484 12.3 KB

I created another profile to activate rules that were deactivated in SonarWay;

image
image1329×399 15.9 KB

image
image960×164 6.32 KB

image
image1312×597 17.4 KB

I re-ran an analysis and now it’s working well, the flag is raised.

Thank you for your help, I hope i didn’t waste your time too much.

1 Like
11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.