I’m using the Community Edition Version 7.7 (build 23042).
A false positive is being identified in several projects (Disable XML external entity (XXE) processing).
In our case we are using the DocumentBuilderFactory object and we are correctly using the setFeature and setExpandEntityReferences method to disable the external entities as we can see in the following image:
You can forget my question, I’m able to reproduce this FP using a fresh SQ 7.7 CE (running SonarJava 5.11) and the latest version of your code available here: https://github.com/ArneLimburg/jpasecurity