The Java analyzer detects more insecure XML processing, not just XXE

Hello Java developers,

As announced in the XXE blog post series, we are happy to announce the availability of new rules related to insecure XML processing to go beyond the famous XXE vulnerability.

Here are the new vulnerability rules:

  • S6373: XML parsers should not allow inclusion of arbitrary files (Blocker)
  • S6374: XML parsers should not load external schemas (Major)
  • S6376: XML parsers should not be vulnerable to Denial of Service attacks (Major)
  • S6377: XML signatures should be validated securely (Major)

These rules are available on SonarCloud, and will be included in SonarQube 9.4 and SonarLint.