java:S2755 Mitigating XXE vulnerability in a utility method and returning DocumentBuilderFactory is not recognized



public static DocumentBuilderFactory getDocumentBuilderFactory() {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        try {
            dbf.setFeature("", false);
            dbf.setFeature("", false);
        } catch (ParserConfigurationException ex) {
            throw locate(internalError(ex));
        return dbf;


DocumentBuilderFactory dbf = ClassA.getDocumentBuilderFactory();
            DocumentBuilder db = dbf.newDocumentBuilder();

In ClassB, dbf.newDocumentBuilder(); is flagged for XXE vulnerability although the threat is mitigated in the method that returns the factory.

SonarQube Enterprise Edition
Version 8.8 (build 42792)