java:S2755: XML parsers should not be vulnerable to XXE attacks

Our code is triggering java:S2755 but I think it’s a false positive.

Here is the relevant piece of code:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse( new InputSource( new StringReader( cr.getEntity(String.class) ) ) ); 

The issue is reported on the first line (creating the factory).

Notice how we’re setting the secure feature XMLConstants.FEATURE_SECURE_PROCESSING.
I found this feature described in this Java 13 security doc: Java API for XML Processing (JAXP) Security Guide.
The doc says that setting this feature explicitly is equivalent to setting “external access restrictions … to empty string”, which appears to be equivalent to the suggestion by SonarQube.
It’s also mentioned in the Java 8 Javadoc, although there’s no mention of external access restrictions…
However, in the SonarQube suggestions for java:S2755, there is no mention of the FEATURE_SECURE_PROCESSING feature anywhere. Neither is it mentioned in the OSWAP cheatsheet doc that the latest SonarQube java scanner was basing its suggestions off of (from this post).

I’m confused – is there something wrong with just using the FEATURE_SECURE_PROCESSING feature? Or is this a False Positive?


SonarQube server version: 9.6.1 (build 59531)
Gradle plugin version: 3.4.0.2513
Gradle Java version: 11
Source code JDK version: 1.8