SonarQube: 6.7.5
SonarJava Plugin: 5.12.1 (build 17771) installed
Scanner: AzureDevOps task v4
Error:
Rule key: squid S2755
Releavent line from the rule:
" To disable external entity processing for SAXParserFactory
, XMLReader
or DocumentBuilderFactory
configure one of the features XMLConstants.FEATURE_SECURE_PROCESSING
or "http://apache.org/xml/features/disallow-doctype-decl"
to true."
Current code (copied from file in Sonar UI):
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
Recommended code from here:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder db = dbf.newDocumentBuilder();
Current work-around:
Just to mark it as a false-positive and move on.
The interesting part is that this rule is marked as closed in other situations.