* Upgrade/migrate from jdom 1.1 with security issue to newest jdom2

* Fixed: XML parsers should not be vulnerable to XXE attacks * Part of: Make sonar-pmd up to date with PMD 6.55, support up to java20-preview, and allow java21 #422
jborgers · Mar 28, 2024 · 785b993 · 785b993
1 parent 0af6c9e
commit 785b993
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 18 deletions.
diff --git a/pom.xml b/pom.xml
@@ -87,7 +87,7 @@
     <java.frontend.version>7.17.0.31219</java.frontend.version>
     <guava.version>33.1.0-jre</guava.version>
     <sslr.squid.bridge.version>2.7.1.392</sslr.squid.bridge.version>
-    <jdom.version>1.1</jdom.version>
+    <jdom2.version>2.0.6.1</jdom2.version>
     <!-- Sonar settings -->
     <version.sonar-packaging.plugin>1.21.0.505</version.sonar-packaging.plugin>
     <sonar-plugin-api.version>9.13.0.360</sonar-plugin-api.version>

diff --git a/sonar-pmd-plugin/pom.xml b/sonar-pmd-plugin/pom.xml
@@ -119,13 +119,13 @@
       <artifactId>pmd-java</artifactId>
         <version>6.55.0</version>
     </dependency>
+    <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
     <dependency>
-      <groupId>jdom</groupId>
-      <artifactId>jdom</artifactId>
-      <version>${jdom.version}</version>
+      <groupId>org.jdom</groupId>
+      <artifactId>jdom2</artifactId>
+      <version>${jdom2.version}</version>
     </dependency>
 
-
   </dependencies>
 
   <build>

diff --git a/sonar-pmd-plugin/src/main/java/org/sonar/plugins/pmd/xml/PmdRuleSet.java b/sonar-pmd-plugin/src/main/java/org/sonar/plugins/pmd/xml/PmdRuleSet.java
@@ -27,11 +27,11 @@
 import javax.annotation.Nullable;
 
 import org.apache.commons.lang3.StringUtils;
-import org.jdom.CDATA;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.output.Format;
-import org.jdom.output.XMLOutputter;
+import org.jdom2.CDATA;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.output.Format;
+import org.jdom2.output.XMLOutputter;
 
 public class PmdRuleSet {
 

diff --git a/sonar-pmd-plugin/src/main/java/org/sonar/plugins/pmd/xml/factory/XmlRuleSetFactory.java b/sonar-pmd-plugin/src/main/java/org/sonar/plugins/pmd/xml/factory/XmlRuleSetFactory.java
@@ -19,11 +19,11 @@
  */
 package org.sonar.plugins.pmd.xml.factory;
 
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.JDOMException;
-import org.jdom.Namespace;
-import org.jdom.input.SAXBuilder;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.JDOMException;
+import org.jdom2.Namespace;
+import org.jdom2.input.SAXBuilder;
 import org.sonar.api.utils.ValidationMessages;
 import org.sonar.api.utils.log.Logger;
 import org.sonar.api.utils.log.Loggers;
@@ -32,6 +32,7 @@
 import org.sonar.plugins.pmd.xml.PmdRuleSet;
 
 import javax.annotation.Nullable;
+import javax.xml.XMLConstants;
 import java.io.IOException;
 import java.io.Reader;
 import java.util.List;
@@ -52,7 +53,7 @@ public XmlRuleSetFactory(Reader source, ValidationMessages messages) {
         this.messages = messages;
     }
 
-    @SuppressWarnings("unchecked")
+
     private List<Element> getChildren(Element parent, String childName, @Nullable Namespace namespace) {
         if (namespace == null) {
             return parent.getChildren(childName);
@@ -98,10 +99,12 @@ public void close() throws IOException {
      */
     @Override
     public PmdRuleSet create() {
-        final SAXBuilder parser = new SAXBuilder();
+        final SAXBuilder builder = new SAXBuilder();
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
         final Document dom;
         try {
-            dom = parser.build(source);
+            dom = builder.build(source);
         } catch (JDOMException | IOException e) {
             if (messages != null) {
                 messages.addErrorText(INVALID_INPUT + " : " + e.getMessage());