Make sure to read this post before raising a thread here:
Then tell us:
What language is this for?
Java
Which rule?
S2755
Why do you believe it’s a false-positive/false-negative?
Our code sets transformerFactory.setAttribute(ACCESS_EXTERNAL_DTD, "");
but still triggers a failure of the rule “Disable access to external entities in XML parsing”
Are you using
SonarCloud
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
Hey @hannes,
Sorry for the very late reply. It looks like the method you are using is indeed safe and you should mark the issue as a false positive. The method you are using is actually listed as part of the methods to accept in this ticket.
Unfortunately, our symbolic execution engine is been on a hiatus for a little while for now and I cannot give you a timeline of when these improvements will be implemented just yet. We will try to clarify that and provide an update as soon as we have one.