java:S2755 XML parsers should not be vulnerable to XXE attacks

Our SonarQube configuration is

SonarQube Community Edition 8.2 (build 32929)
SonarJava Code Analyzer for Java 6.1 (build 20866)

We’re using XMLInputFactory to parse XML files from a string:


XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
XMLEventReader reader = factory.createXMLEventReader(new StringReader(myXmlString));

Rule java:S2755 is triggered and marks these lines as incorrect. The rule’s description suggests to Disable XML external entity (XXE) processing which we already did. More specifically, we’re using the suggested solution from the rule’s description:

XMLInputFactory library:

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant

XMLEventReader eventReader = factory.createXMLEventReader(new FileReader("xxe.xml"));

The only difference between the suggested solution and our solution is the source of the XML content. However, this should not affect the security of the code.

Hello @akasten and welcome to the community!

XXE rule for Java has been improved recently in the SonarJava 6.2 release (see this announcement):

If you are upgrading to take advantage of these new features, let us know if that resolves your problem, if you cannot upgrade, I suggest closing this issue as “False Positive”.


1 Like

Hi Eric,

thanks for your quick reponse. We’ll try to update the Java analyzer and have a look at the new rule. I’ll keep you informed of our findings.


Hello again,

we’ve installed and successfully tested the new Java analyzer and the false positive did not occur anymore. That solves our issue.

How can I close this topic?

Thanks again,

Good news!

“To close a topic” just click on the “show more” (…) button at the bottom of a post then “solution”.
I have done it for you.