Java Rule squid S2755 False Positive

SonarQube: 6.7.5
SonarJava Plugin: 5.12.1 (build 17771) installed
Scanner: AzureDevOps task v4

Rule key: squid S2755

Releavent line from the rule:
" To disable external entity processing for SAXParserFactory , XMLReader or DocumentBuilderFactory configure one of the features XMLConstants.FEATURE_SECURE_PROCESSING or "" to true."

Current code (copied from file in Sonar UI):

DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();

Recommended code from here:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder db = dbf.newDocumentBuilder();

Current work-around:
Just to mark it as a false-positive and move on.

The interesting part is that this rule is marked as closed in other situations.

Upgrading to Sonar version 6.7.7 and sonarJava version 5.13 did not resolve this false positive.

That’s weird to have this FP, you are using the safety feature mentioned in the rule description. Also I can’t reproduce it.

Could you try with SonarJava 5.13.1? Also please provide screenshot of the FP you have.

Sorry for the late response. I looked at the release notes for 5.13.1 and I am not sure how that would fix the issue described above.

I think we will just accept that it is marked as a false positive for the time being. We haven’t encountered any other instances of this issue, and the developer for this project doesn’t seem to be focused on this issue any more.

Thank you for your time.