Vulnerabity XXE - false positive

We use sonarQube to find vulnerabilities, sonar found a vulnerabity XXE, I have repair it but sonar still show the vulnerability after

I have this code to fix it :

TransformerFactory transformerFactory = javax.xml.transform.TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "all");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "all");
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Transformer transformer = transformerFactory.newTransformer(new StreamSource(xslt));
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.ENCODING, encoding);

How can we make sure that sonar doesn’t see the vulnerability anymore ?

Thanks
Aurélie

Hello @aehanno

To protect your TansformerFactory against XXE attacks use:

transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

After changes if SonarQube still detect a vulnerability it’s because SonarJava faces an issue related to classpath conflict and this problem will be addressed in the upcoming releases of SonarJava, in the meantime you can mark issues as false positives (“resolve as false positive”).

Eric

Hello @eric.therond

Thank you for you response.
But I don’t know how to mark issues as false positive. I don’t see “resolve as false positive”.
How do you do that?

Thanks
Aurélie

Hello @aehanno
on a issue, click on “open” then “resolve as false positive”

howtofp986×169 16.2 KB

Eric

Hi @eric.therond

I have only “Resolve as fixed”

image996×146 11.7 KB

Is there a configuration to do to have this functionality ?

Aurélie

Hi @aehanno,

do you know which permissions you have in SonarQube ?
As mentioned in our documentation, marking an issue as False Positive “requires Administer Issues permission on the project”.

Carine