java:S2755 Mitigating XXE vulnerability in a utility method and returning DocumentBuilderFactory is not recognized



public static DocumentBuilderFactory getDocumentBuilderFactory() {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        try {
            dbf.setFeature("", false);
            dbf.setFeature("", false);
        } catch (ParserConfigurationException ex) {
            throw locate(internalError(ex));
        return dbf;


DocumentBuilderFactory dbf = ClassA.getDocumentBuilderFactory();
            DocumentBuilder db = dbf.newDocumentBuilder();

In ClassB, dbf.newDocumentBuilder(); is flagged for XXE vulnerability although the threat is mitigated in the method that returns the factory.

SonarQube Enterprise Edition
Version 8.8 (build 42792)

Hello @JSamir

Indeed, this is not the expected behavior, your code looks good to me.

Ticket created: SONARJAVA-3842.

Thanks for reporting this issue and providing a reproducer.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.