SonarQube DocumentBuilderFactory XXE (squid:S2755)

java
sonarqube
scanner
(Clviper) #1

Hi,

I’m using the Community Edition Version 7.7 (build 23042).

A false positive is being identified in several projects (Disable XML external entity (XXE) processing).

In our case we are using the DocumentBuilderFactory object and we are correctly using the setFeature and setExpandEntityReferences method to disable the external entities as we can see in the following image:

Can the rule for this issue be adjusted please?

Thank you.

S2755 fails for DocumentBuilderFactory XXE should be disabled
(Alexandre Gigleux) #2

Hello,

Can you share which version of SonarJava you are using on your SQ CE 7.7?

Thanks

(Alexandre Gigleux) #4

You can forget my question, I’m able to reproduce this FP using a fresh SQ 7.7 CE (running SonarJava 5.11) and the latest version of your code available here: https://github.com/ArneLimburg/jpasecurity

(Alexandre Gigleux) #5

I managed to reproduce the problem using a simple project made of:

  • one file: XmlParser.java
  • one dependency on hibernate-core-5.1.0

I’ll keep you informed once we have a better idea why this dependency is impacting the result of the analysis.