Vulnerabity XXE - false positive

We use sonarQube to find vulnerabilities, sonar found a vulnerabity XXE, I have repair it but sonar still show the vulnerability after

I have this code to fix it :

TransformerFactory transformerFactory = javax.xml.transform.TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "all");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "all");
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Transformer transformer = transformerFactory.newTransformer(new StreamSource(xslt));
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.ENCODING, encoding);

How can we make sure that sonar doesn’t see the vulnerability anymore ?


Hello @aehanno

To protect your TansformerFactory against XXE attacks use:

transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

After changes if SonarQube still detect a vulnerability it’s because SonarJava faces an issue related to classpath conflict and this problem will be addressed in the upcoming releases of SonarJava, in the meantime you can mark issues as false positives (“resolve as false positive”).


1 Like

Hello @eric.therond

Thank you for you response.
But I don’t know how to mark issues as false positive. I don’t see “resolve as false positive”.
How do you do that?


Hello @aehanno
on a issue, click on “open” then “resolve as false positive”


Hi @eric.therond

I have only “Resolve as fixed”

Is there a configuration to do to have this functionality ?


Hi @aehanno,

do you know which permissions you have in SonarQube ?
As mentioned in our documentation, marking an issue as False Positive “requires Administer Issues permission on the project”.