Why XML transformers should be secured (S4435) has been deprecated in SonarJava 6.0?

Hello,
I upgraded SonarJava plugin from 5.14.0 to 6.0.1 and I don’t understand why the following rule has been deprecated: RSPEC-4435 XML transformers should be secured. There is no information about the reason in the rule documentation and also in the commit which changed the status from ready to deprecated (see the commit by Michael Gumowski).

Could somebody provide some details? Or maybe it was done by mistake? I like this rule, so the second option sounds better :wink:

Cheers

1 Like

Maybe you can find some relevant information in this Jira ticket: https://jira.sonarsource.com/browse/SONARJAVA-3226. The ticket however is planned for 6.1 and still open.

1 Like

Hello @agabrys
S4435 has been deprecated in favor of S2755.

The goal of S2755 is to catch in the future more use-cases about XXE vulnerability (including correct way to secure XML transformers but not only).

Eric

1 Like

Thank you :slight_smile: It would be great if the same explanation could be added to the rule documentation :+1:

2 Likes

One more thing :wink: The rule is still enabled in Sonar way BUILT-IN profile.

2 Likes