Template for a good false-positive report, formatted with Markdown:
- versions used (SonarQube, Scanner, language analyzer)
- minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).
Wrap code around triple quote ``` for proper formatting
HI, iβ have this problem with sonarcloud: XML parsers should not be vulnerable to XXE attacks
My code is this:
for (int i = 0; i < 3 && path != null; i++, path = path.getParent()) {
final Path pom = path.resolve("pom.xml");
try (InputStream is = Files.newInputStream(pom)) {
final Document doc = DocumentBuilderFactory.**newInstance()**.newDocumentBuilder().parse(is);
doc.getDocumentElement().normalize();
String version = (String) XPathFactory.newInstance().newXPath().compile("/project/version")
.evaluate(doc, XPathConstants.STRING);
if (version != null) {
version = version.trim();
if (!version.isEmpty()) {
return version;
}
}
Sonar give me an error on newInstance(). How can I resolve?