S2755 fails for DocumentBuilderFactory XXE should be disabled

java
sonarlint
sonarcloud

(CSchulz) #1

SonarCloud with Maven Plugin (3.6.0.1398) and SonarLint

Test code from the repository (fails with SonarLint, not tested with Maven Plugin)

    DocumentBuilderFactory no_property() {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        return factory;
    }

Our code:

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        // disable external entities
        documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        documentBuilderFactory.setNamespaceAware(false);

Similar issue: S2755 False positive in SonarLint


(CSchulz) #2

Why is this bug report marked as false positive without any comment?

See https://sonarcloud.io/project/issues?id=org.jpasecurity%3Ajpasecurity&open=AWipZqpsqh3OODMjeESR&resolved=false&types=VULNERABILITY