I upgraded SonarJava plugin from 5.14.0 to 6.0.1 and I don’t understand why the following rule has been deprecated: RSPEC-4435 XML transformers should be secured. There is no information about the reason in the rule documentation and also in the commit which changed the status from
deprecated (see the commit by Michael Gumowski).
Could somebody provide some details? Or maybe it was done by mistake? I like this rule, so the second option sounds better
Maybe you can find some relevant information in this Jira ticket: https://jira.sonarsource.com/browse/SONARJAVA-3226. The ticket however is planned for 6.1 and still open.
S4435 has been deprecated in favor of S2755.
The goal of S2755 is to catch in the future more use-cases about XXE vulnerability (including correct way to secure XML transformers but not only).
Thank you It would be great if the same explanation could be added to the rule documentation
One more thing The rule is still enabled in
Sonar way BUILT-IN profile.