Our code is triggering java:S2755 but I think it’s a false positive.
Here is the relevant piece of code:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse( new InputSource( new StringReader( cr.getEntity(String.class) ) ) );
The issue is reported on the first line (creating the factory).
Notice how we’re setting the secure feature
I found this feature described in this Java 13 security doc: Java API for XML Processing (JAXP) Security Guide.
The doc says that setting this feature explicitly is equivalent to setting “external access restrictions … to empty string”, which appears to be equivalent to the suggestion by SonarQube.
It’s also mentioned in the Java 8 Javadoc, although there’s no mention of external access restrictions…
However, in the SonarQube suggestions for java:S2755, there is no mention of the
FEATURE_SECURE_PROCESSING feature anywhere. Neither is it mentioned in the OSWAP cheatsheet doc that the latest SonarQube java scanner was basing its suggestions off of (from this post).
I’m confused – is there something wrong with just using the
FEATURE_SECURE_PROCESSING feature? Or is this a False Positive?
SonarQube server version: 9.6.1 (build 59531)
Gradle plugin version: 184.108.40.2063
Gradle Java version: 11
Source code JDK version: 1.8