Hi,
I have a Fortify report which mentions a 'XML External Entity Injection' on TransfromFactory in Java code and I made the below fixes to address this.
TransformerFactory tFactory = TransformerFactory.newInstance();
tFactory.setFeature("">xml.org/.../external-general-entities", false);
tFactory.setFeature("">xml.org/.../external-parameter-entities", false);
tFactory.setFeature("">apache.org/.../disallow-doctype-decl", true);
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
However, even after these changes the Fortify still reports the 'XML External Entity Injection' error.
while most sites including (https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) mentions only below settings.
TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Wanted to understand if the Fortify rules around the XEE detection is looking for some specific settings to be set on parser apart from the above.