Regarding 'XML External Entity Injection' issue reported by Fortify on Java code

Hi,

I have a Fortify report which mentions a 'XML External Entity Injection' on TransfromFactory in Java code and I made the below fixes to address this.

TransformerFactory tFactory = TransformerFactory.newInstance();
tFactory.setFeature("">xml.org/.../external-general-entities", false);
tFactory.setFeature("">xml.org/.../external-parameter-entities", false);
tFactory.setFeature("">apache.org/.../disallow-doctype-decl", true);
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

However, even after these changes the Fortify still reports the 'XML External Entity Injection' error.

while most sites including (https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) mentions only below settings.

TransformerFactory tf = TransformerFactory.newInstance();

tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");

tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Wanted to understand if the Fortify rules around the XEE detection is looking for some specific settings to be set on parser apart from the above.