Hello @aehanno
To protect your TansformerFactory against XXE attacks use:
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
After changes if SonarQube still detect a vulnerability it’s because SonarJava faces an issue related to classpath conflict and this problem will be addressed in the upcoming releases of SonarJava, in the meantime you can mark issues as false positives (“resolve as false positive”).
Eric