Possible false positive with `java:S2755`

hannes · January 27, 2026, 3:06pm

Make sure to read this post before raising a thread here:

Then tell us:

What language is this for?
- Java
Which rule?
- S2755
Why do you believe it’s a false-positive/false-negative?
- Our code sets transformerFactory.setAttribute(ACCESS_EXTERNAL_DTD, "");
  but still triggers a failure of the rule “Disable access to external entities in XML parsing”
Are you using
- SonarCloud
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
- Permalink to GitHub: ris-adm-literature/backend/src/main/java/de/bund/digitalservice/ris/adm_literature/documentation_unit/converter/xml/DomXmlWriter.java at 8342f2ad524d79115bd3b25df9a8783796ae9951 · digitalservicebund/ris-adm-literature · GitHub
- Triggers S2755:
  
  image1624×1694 308 KB
Checking the docs on TransformerFactory’s setAttribute() and "ACCESS_EXTERNAL_DTD (“an empty string to deny all access to external references”) seem to say differently.

Topic		Replies	Views
False Positive: Rule java:S2755 – “Disable access to external entities in XML parsing” Report False-positive / False-negative...	2	265	July 3, 2025
XML parsers should not be vulnerable to XXE attacks (java:S2755) Report False-positive / False-negative... java	3	3550	February 9, 2021
java:S2755 has wrong solution for TransformerFactory SonarQube Server / Community Build java , sonarqube	3	1074	May 20, 2024
S2755 fails for DocumentBuilderFactory XXE should be disabled SonarQube Cloud java , sonarqube-ide , sonarqube-cloud	2	4432	May 3, 2019
Bug in "XML parsers should not be vulnerable to XXE attacks (java:S2755)" SonarQube Server / Community Build	6	831	January 22, 2025