SonarQube DocumentBuilderFactory XXE (squid:S2755)


I’m using the Community Edition Version 7.7 (build 23042).

A false positive is being identified in several projects (Disable XML external entity (XXE) processing).

In our case we are using the DocumentBuilderFactory object and we are correctly using the setFeature and setExpandEntityReferences method to disable the external entities as we can see in the following image:

Can the rule for this issue be adjusted please?

Thank you.

1 Like


Can you share which version of SonarJava you are using on your SQ CE 7.7?


You can forget my question, I’m able to reproduce this FP using a fresh SQ 7.7 CE (running SonarJava 5.11) and the latest version of your code available here:

I managed to reproduce the problem using a simple project made of:

  • one file:
  • one dependency on hibernate-core-5.1.0

I’ll keep you informed once we have a better idea why this dependency is impacting the result of the analysis.

we are facing same issues. false positive reported in sonar community version 7.7.
Can you please update on this issue ?


I shared an update on another thread here: SonarQube: 7.7 :Issue is already fixed as per Sonar compliant solution but Sonar still reporting the issues

Do you have in your classpath multiple implementations of DocumentBuilderFactory ?