S2755 fails for DocumentBuilderFactory XXE should be disabled

SonarCloud with Maven Plugin (3.6.0.1398) and SonarLint

Test code from the repository (fails with SonarLint, not tested with Maven Plugin)

    DocumentBuilderFactory no_property() {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        return factory;
    }

Our code:

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        // disable external entities
        documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        documentBuilderFactory.setNamespaceAware(false);

Similar issue: S2755 False positive in SonarLint

1 Like

Why is this bug report marked as false positive without any comment?

See https://sonarcloud.io/project/issues?id=org.jpasecurity%3Ajpasecurity&open=AWipZqpsqh3OODMjeESR&resolved=false&types=VULNERABILITY

Hello,

I confirm this is a FP. The rule S2755 should not raise an issue in this case.This problem is the same as SonarQube DocumentBuilderFactory XXE (squid:S2755).

Waiting for us to fix this problem, you can mark the issue as FP.

Alex