XML parsers should not be vulnerable to XXE attacks (S2755)

  • Version 8.1 (build 31237)

When trying to get an instance of DocumentBuilderFactory, i got this SonarQube vulnerability : Disable access to external entities in XML parsing.

We should add the feature bellow to the instance of DocumentBuilderFactory to ignore the error ?

Is this secure ? I believe this vulnerability is a false positive

Hello,

We reworked completely this rule in version >= 6.2 of the Java analyzer, since an older version is included by default in version SonarQube 8.1, you might face less precise results for this rule if you didn’t update anything.

In any way, I believe the current description of the rule is pretty good, you should find plenty of information there.

If you still have questions or something is not clear, feel free to come back to us here.

Best,
Quentin