Hello @akasten and welcome to the community!
XXE rule for Java has been improved recently in the SonarJava 6.2 release (see this announcement):
If you are upgrading to take advantage of these new features, let us know if that resolves your problem, if you cannot upgrade, I suggest closing this issue as “False Positive”.
Eric