S2755 False positive in SonarLint

We have updated our quality profile with new rules that are right now detected by sonar lint as well. However sonar lint will still mark the code in IntelijIdea as incorrect even when the appropriate steps are carried out. Can someone take a look if this is only issue with sonar lint plugin, or if the rule itself should be improved somehow?

  • versions used are 6.7.6 with latest sonar java plugin.

import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import java.io.IOException;

public final class XmlValidator {

	private final Schema schema;

	public XmlValidator(Schema schema) {
		this.schema = schema;

	public void validate(Source source) throws IOException, SAXException {
		Validator validator = schema.newValidator();
		validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
		validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");



I’m sorry I am really unsure of what is the problem you are encountering.
Is it that a S2755 issue is properly absent on sonarcloud but still raised by SonarLint in intellij ?

Hello. Sorry for bringing this up again, but I’m having this exact issue. The following code:

    final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Sonar java:S2755
    dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // // Sonar java:S2755
    final DocumentBuilder db = dbf.newDocumentBuilder();
    final Document doc = db.newDocument();

is still reported as security issue in IntelliJ SonarLint plugin.

Hello @Lorthirk,

We very recently (on Monday) released SonarJava 6.2, including a rework of XXE vulnerabilities
detection on Java (rule S2755). I tested your sample with it and no issue is raised anymore.

The new version is already available for SonarQube and SonarCloud, for SonarLint, it should be available for the next release, or right now if you are using connected mode!


I’m using Connected Mode against a public SonarCloud project, but the error is still showing :\

For any reference, SonarLint IntelliJ version is

Sorry, my bad. I realized I wasn’t correctly applying the suggested fix. Now the issue disappeared from both SonarCloud and SonarLint.

1 Like