We are using the Enterprise version of SonarQube.
- Version 8.9.7 (build 52159)
The Sonar rule XML parsers should not be vulnerable to XXE attacks (java:S2755) could not recognize our own code which is using a secured XML Parser via a separate util class and still report that the code is vulnerable. We want to know if Sonar could enhance the rule if we can provide such util classes and avoid reporting such issues in the future.
code sample :
DocumentBuilderFactory factory = XmlUtils.getSecuredDocumentBuilderFactoryInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
where XmlUtils code is written by our own as below:
class XmlUtils {
public static DocumentBuilderFactory getSecuredDocumentBuilderFactoryInstance () {
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
}