We used to get vulnerabilities reported when using the xalan transformer factory without disabling external entities. The link below is the rule that used to apply and properly report the vulnerability.
Link to web archieves
But when looking at the latest SonarQube rules for java vulnerabilities Java static code analysis | Vulnerability (sonarsource.com), I see no entries for anything related to XXE.
Why were these vulnerabilities removed from the standard rule set?
Hey there.
There’s some behind-the-scenes conversations about this rule in particular (S2755) and other rules tagged (#symbolic-execution), and one side effect is that they have disappeared from the rules site.
They have disappeared from our own SonarQube instance. The vulnerabilities which we’re present before (we had like 9 of them) can no longer be found anywhere within SonarQube, despite us scanning the exact same java files.
We are running a self hosted version of the SonarQube Community Edition.
Well, it would be very strange for those rules to disappear if you haven’t taken some action, like upgrading your SonarQube instance or changing the Quality Profiles assigned to the project.
Are these rules (tagged like java:S2755) still active in the Quality Profile assigned to your project? If so (and issues raised by this rule aren’t marked False-Positive/Won’t fix, make sure you check!), I think it would be suitable for you to treat these as false-negatives and follow the guidelines for reporting them.