无法在 Sonar 中解析 'Untrusted XML should be parsed with a local, static DTD'
Unable to resolve 'Untrusted XML should be parsed with a local, static DTD' in Sonar
我的项目中有这些代码块(Java 使用 Lombok):
val factory = (XMLInputFactory2) XMLInputFactory.newInstance();
val streamReader = (XMLStreamReader2) factory.createXMLStreamReader(inputStream);
和
val factory = XMLInputFactory.newInstance();
val eventReader = factory.createXMLEventReader(new CharArrayReader(marshaledObject.toCharArray()));
我用 Sonarqube 分析了我的代码(使用这张 Docker 图片设置:owasp/sonarqube)。
两个代码块都被标记为违反规则的漏洞Untrusted XML should be parsed with a local, static DTD
。
我将代码更改为:
val factory = (XMLInputFactory2) XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
val streamReader = (XMLStreamReader2) factory.createXMLStreamReader(inputStream);
和
val factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
val eventReader = factory.createXMLEventReader(new CharArrayReader(marshaledObject.toCharArray()));
分别重新运行分析。这两个代码块仍被标记为违反上述规则。我不明白为什么。我应该在工厂上设置一些额外的属性吗?
我的项目是用 Gradle 5.3.1 构建的,并使用插件 org.sonarqube
版本 2.6 进行了分析。
这可能是 false-positive 在 Sonar 分析中,根据 Untrusted XML should be parsed with a local, static DTD 规则示例,您的代码看起来完全正确。
当您确认 eventReader
不再易受攻击时,您可能想要添加 // NOSONAR
来抑制 false-positive。根据声纳文档 Frequently Asked Questions:
False-Positive and Won't Fix
You can mark individual issues False Positive or Won't Fix through the issues interface. If you're using Short-lived branch and PR analysis provided by the Developer Edition, issues marked False Positive or Won't Fix will retain that status after merge. This is the preferred approach.
//NOSONAR
Most language analyzers support the use of the generic mechanism: //NOSONAR at the end of the line of the issue. This will suppress the all issues - now and in the future - that might be raised on the line.
我的项目中有这些代码块(Java 使用 Lombok):
val factory = (XMLInputFactory2) XMLInputFactory.newInstance();
val streamReader = (XMLStreamReader2) factory.createXMLStreamReader(inputStream);
和
val factory = XMLInputFactory.newInstance();
val eventReader = factory.createXMLEventReader(new CharArrayReader(marshaledObject.toCharArray()));
我用 Sonarqube 分析了我的代码(使用这张 Docker 图片设置:owasp/sonarqube)。
两个代码块都被标记为违反规则的漏洞Untrusted XML should be parsed with a local, static DTD
。
我将代码更改为:
val factory = (XMLInputFactory2) XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
val streamReader = (XMLStreamReader2) factory.createXMLStreamReader(inputStream);
和
val factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
val eventReader = factory.createXMLEventReader(new CharArrayReader(marshaledObject.toCharArray()));
分别重新运行分析。这两个代码块仍被标记为违反上述规则。我不明白为什么。我应该在工厂上设置一些额外的属性吗?
我的项目是用 Gradle 5.3.1 构建的,并使用插件 org.sonarqube
版本 2.6 进行了分析。
这可能是 false-positive 在 Sonar 分析中,根据 Untrusted XML should be parsed with a local, static DTD 规则示例,您的代码看起来完全正确。
当您确认 eventReader
不再易受攻击时,您可能想要添加 // NOSONAR
来抑制 false-positive。根据声纳文档 Frequently Asked Questions:
False-Positive and Won't Fix
You can mark individual issues False Positive or Won't Fix through the issues interface. If you're using Short-lived branch and PR analysis provided by the Developer Edition, issues marked False Positive or Won't Fix will retain that status after merge. This is the preferred approach.
//NOSONAR
Most language analyzers support the use of the generic mechanism: //NOSONAR at the end of the line of the issue. This will suppress the all issues - now and in the future - that might be raised on the line.