`net.sf.saxon.TransformerFacatoryImpl` does not support `XMLConstants.ACCESS_EXTERNAL_{DTD,SCHEMA}`

Versions used:


  • java:S2755 – XML parsers should not be vulnerable to XXE attacks

Minimal code sample:

import javax.xml.XMLConstants;
import javax.xml.transform.TransformerFactory; 
class TestClass() {
    void createTransformerFactory() throws IllegalArgumentException {
            final TransformerFactory transformerFactory = TransformerFactory.newInstance();

            // Saxon doesn't support the standard XMLConstants in its factory -- it throws an exception
            // (saxon HE 9.9.1 is brought in by com.puppycrawl.tools:checkstyle:8.18)

            if (transformerFactory instanceof net.sf.saxon.TransformerFactoryImpl)
                transformerFactory.setFeature(net.sf.saxon.lib.FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        return transformerFactory;

Source code for the actual factory:

Hello @tsmock
welcome to the community and sorry for the delay

According to this ticket, Saxon supports these two properties since 10.3 version and higher:

transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I tested and it works, most of the external entities will be disallowed by doing that.
Is that possible to upgrade Checkstyle/Saxon library you use?