S2755 False positive Sonar scan engine cannot recognize our code which is secure already

We are using the Enterprise version of SonarQube.

  • Version 8.9.7 (build 52159)

The Sonar rule XML parsers should not be vulnerable to XXE attacks (java:S2755) could not recognize our own code which is using a secured XML Parser via a separate util class and still report that the code is vulnerable. We want to know if Sonar could enhance the rule if we can provide such util classes and avoid reporting such issues in the future.

code sample :

DocumentBuilderFactory factory = XmlUtils.getSecuredDocumentBuilderFactoryInstance();
DocumentBuilder builder = factory.newDocumentBuilder();

where XmlUtils code is written by our own as below:

class XmlUtils {
 public static DocumentBuilderFactory getSecuredDocumentBuilderFactoryInstance () {
     DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
    df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 
    df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Hey there.

Thanks for the detailed report (with all the right info!)

This is indeed a limitation of the rule in SonarQube v8.9 LTS which will be adressed in the upcoming SonarQube v9.4 (SONARJAVA-3842).