java:S2755 XML parsers should not be vulnerable to XXE attacks - static final


We define the DocumentBuilderFactory as static code and are setting the needed attributes and features. Sonar still reports this as an issue, when the DOC_BUILDER_FACTORY.newDocumentBuilder() is called.

private static final DocumentBuilderFactory          DOC_BUILDER_FACTORY;
static {
       DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
       DOC_BUILDER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       try {
           DOC_BUILDER_FACTORY.setFeature("", true);
       } catch (ParserConfigurationException e) {
           throw new IllegalStateException(e);
private String extract(RequestType request) {
       final Document doc;
       try {
           final DocumentBuilder builder = DOC_BUILDER_FACTORY.newDocumentBuilder();
           InputSource is = new InputSource(new StringReader(iiTypeXML));
           doc = builder.parse(is);
       } catch (Exception e) {
           throw new RuntimeException(e);

       return doc.getFirstChild().getAttributes().getNamedItem("extension").getTextContent();

Do we miss something here? Or is the only solution to mark it as “false positive”?

Hello @Lesrac

I agree that this issue should not be reported, you can mark it as false positive for now.

The good news is that we just recently changed a bit the implementation of this rule, the problem in your code is no longer reported. I don’t have a ticket describing the exact problem as this was done in the context of another one (SONARJAVA-4059), but it will be part of version 7.8 of the analyzer.

Hope it clarifies the situation.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.