S2755 False positive in SonarLint

jburgel · February 21, 2019, 2:52pm

We have updated our quality profile with new rules that are right now detected by sonar lint as well. However sonar lint will still mark the code in IntelijIdea as incorrect even when the appropriate steps are carried out. Can someone take a look if this is only issue with sonar lint plugin, or if the rule itself should be improved somehow?

versions used are 6.7.6 with latest sonar java plugin.


import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import java.io.IOException;

public final class XmlValidator {

	private final Schema schema;

	public XmlValidator(Schema schema) {
		this.schema = schema;
	}

	public void validate(Source source) throws IOException, SAXException {
		Validator validator = schema.newValidator();
		validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
		validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
	}

}

Nicolas_Peru · July 10, 2019, 1:24pm

Hi,

I’m sorry I am really unsure of what is the problem you are encountering.
Is it that a S2755 issue is properly absent on sonarcloud but still raised by SonarLint in intellij ?

Lorthirk · March 11, 2020, 11:59am

Hello. Sorry for bringing this up again, but I’m having this exact issue. The following code:

    final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Sonar java:S2755
    dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // // Sonar java:S2755
    final DocumentBuilder db = dbf.newDocumentBuilder();
    final Document doc = db.newDocument();

is still reported as security issue in IntelliJ SonarLint plugin.

Quentin · March 11, 2020, 4:06pm

Hello @Lorthirk,

We very recently (on Monday) released SonarJava 6.2, including a rework of XXE vulnerabilities
detection on Java (rule S2755). I tested your sample with it and no issue is raised anymore.

The new version is already available for SonarQube and SonarCloud, for SonarLint, it should be available for the next release, or right now if you are using connected mode!

Best,
Quentin

Lorthirk · March 11, 2020, 4:19pm

I’m using Connected Mode against a public SonarCloud project, but the error is still showing :\

For any reference, SonarLint IntelliJ version is 4.5.1.15617

Lorthirk · March 12, 2020, 4:00pm

Sorry, my bad. I realized I wasn’t correctly applying the suggested fix. Now the issue disappeared from both SonarCloud and SonarLint.