WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6] #1643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

lukaszlenart wants to merge 1 commit into release/struts-6-8-x from WW-5621-harden-xml-parsers-billion-laughs-s6

+77 −41

Open

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6] #1643

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) …

SonarQubeCloud / SonarCloud Code Analysis failed Mar 29, 2026 in 4m 23s

Quality Gate failed

Failed conditions
25 Security Hotspots
43.3% Coverage on New Code (required ≥ 80%)
3.3% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Annotations

Check warning on line 296 in core/src/test/java/com/opensymphony/xwork2/conversion/impl/NumberConverterTest.java

sonarqubecloud / SonarCloud Code Analysis

Remove this useless assignment to local variable "value".

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RFeCvIUCM9Fwtphs&open=AZ04RFeCvIUCM9Fwtphs&pullRequest=1643

Check warning on line 249 in core/src/test/java/com/opensymphony/xwork2/interceptor/AliasInterceptorTest.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "AliasInterceptor"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RFCuvIUCM9FwtpWZ&open=AZ04RFCuvIUCM9FwtpWZ&pullRequest=1643

Check warning on line 1132 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/compiler/Validator.java

sonarqubecloud / SonarCloud Code Analysis

Provide the parametrized type for this generic.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGYtvIUCM9Fwtp6j&open=AZ04RGYtvIUCM9Fwtp6j&pullRequest=1643

Check warning on line 251 in core/src/main/java/com/opensymphony/xwork2/TextProviderSupport.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "ValueStack"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RCwCvIUCM9FwtpF2&open=AZ04RCwCvIUCM9FwtpF2&pullRequest=1643

Check warning on line 114 in core/src/main/java/org/apache/struts2/views/jsp/IteratorTag.java

sonarqubecloud / SonarCloud Code Analysis

Remove the unnecessary boolean literal.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04REDpvIUCM9FwtpMr&open=AZ04REDpvIUCM9FwtpMr&pullRequest=1643

Check failure on line 1422 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/compiler/Generator.java

sonarqubecloud / SonarCloud Code Analysis

Refactor this method to reduce its Cognitive Complexity from 35 to the 15 allowed.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGPtvIUCM9Fwtp0M&open=AZ04RGPtvIUCM9Fwtp0M&pullRequest=1643

Check warning on line 74 in core/src/test/java/com/opensymphony/xwork2/mock/DummyTextProvider.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "ValueStack"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RFftvIUCM9Fwtph3&open=AZ04RFftvIUCM9Fwtph3&pullRequest=1643

Check warning on line 373 in core/src/test/java/org/apache/struts2/interceptor/FileUploadInterceptorTest.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "ActionContext"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04REhTvIUCM9FwtpOd&open=AZ04REhTvIUCM9FwtpOd&pullRequest=1643

Check warning on line 1608 in plugins/embeddedjsp/src/main/java/org/apache/struts2/el/parser/ELParser.java

sonarqubecloud / SonarCloud Code Analysis

Rename this method name to match the regular expression '^[a-z][a-zA-Z0-9]*$'.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RG-ZvIUCM9FwtqV0&open=AZ04RG-ZvIUCM9FwtqV0&pullRequest=1643

Check warning on line 190 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/runtime/JspRuntimeLibrary.java

sonarqubecloud / SonarCloud Code Analysis

Remove this call to a deprecated method, it has been marked for removal.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGoRvIUCM9FwtqFg&open=AZ04RGoRvIUCM9FwtqFg&pullRequest=1643

Check warning on line 412 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/compiler/PageDataImpl.java

sonarqubecloud / SonarCloud Code Analysis

Add the "@Override" annotation above this method signature

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGOYvIUCM9Fwtpx5&open=AZ04RGOYvIUCM9Fwtpx5&pullRequest=1643

Check warning on line 109 in plugins/gxp/src/main/java/org/apache/struts2/views/gxp/GxpResult.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "ActionInvocation"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RIaOvIUCM9Fwtqr1&open=AZ04RIaOvIUCM9Fwtqr1&pullRequest=1643

Check warning on line 125 in core/src/main/java/com/opensymphony/xwork2/inject/Scope.java

sonarqubecloud / SonarCloud Code Analysis

Replace generic exceptions with specific library exceptions or a custom exception.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RBofvIUCM9FwtoxZ&open=AZ04RBofvIUCM9FwtoxZ&pullRequest=1643

Check warning on line 91 in core/src/main/java/com/opensymphony/xwork2/conversion/impl/CollectionConverter.java

sonarqubecloud / SonarCloud Code Analysis

Provide the parametrized type for this generic.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RClyvIUCM9FwtpDL&open=AZ04RClyvIUCM9FwtpDL&pullRequest=1643

Check warning on line 49 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/runtime/JspFactoryImpl.java

sonarqubecloud / SonarCloud Code Analysis

Use "Boolean.parseBoolean" for this string-to-boolean conversion.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGpnvIUCM9FwtqHp&open=AZ04RGpnvIUCM9FwtqHp&pullRequest=1643

Check warning on line 140 in plugins/oval/src/main/java/org/apache/struts2/oval/interceptor/OValValidationInterceptor.java

sonarqubecloud / SonarCloud Code Analysis

Replace generic exceptions with specific library exceptions or a custom exception.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RIHyvIUCM9Fwtqm3&open=AZ04RIHyvIUCM9Fwtqm3&pullRequest=1643

Check failure on line 154 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/tagplugins/jstl/core/Set.java

sonarqubecloud / SonarCloud Code Analysis

Define a constant instead of duplicating this literal " throw new JspException(ex);" 3 times.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGiJvIUCM9FwtqAu&open=AZ04RGiJvIUCM9FwtqAu&pullRequest=1643

Check warning on line 38 in plugins/portlet/src/test/java/org/apache/struts2/portlet/interceptor/PortletAwareInterceptorTest.java

sonarqubecloud / SonarCloud Code Analysis

Add the "@Override" annotation above this method signature

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RHuWvIUCM9FwtqjC&open=AZ04RHuWvIUCM9FwtqjC&pullRequest=1643

Check warning on line 126 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/compiler/Dumper.java

sonarqubecloud / SonarCloud Code Analysis

Add the "@Override" annotation above this method signature

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGWevIUCM9Fwtp5t&open=AZ04RGWevIUCM9Fwtp5t&pullRequest=1643

Check failure on line 89 in core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkCollectionPropertyAccessor.java

sonarqubecloud / SonarCloud Code Analysis

Refactor this method to reduce its Cognitive Complexity from 19 to the 15 allowed.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RBsMvIUCM9Fwtozg&open=AZ04RBsMvIUCM9Fwtozg&pullRequest=1643

Check warning on line 314 in plugins/embeddedjsp/src/main/java/org/apache/struts2/jasper/compiler/SmapStratum.java

sonarqubecloud / SonarCloud Code Analysis

Use multiple calls to "append" instead of string concatenation.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RGKVvIUCM9FwtpvL&open=AZ04RGKVvIUCM9FwtpvL&pullRequest=1643

Check warning on line 252 in core/src/main/java/com/opensymphony/xwork2/DefaultActionInvocation.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "Interceptor"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RCwwvIUCM9FwtpGg&open=AZ04RCwwvIUCM9FwtpGg&pullRequest=1643

Check warning on line 208 in core/src/test/java/com/opensymphony/xwork2/interceptor/PrepareInterceptorTest.java

sonarqubecloud / SonarCloud Code Analysis

Remove this use of "Preparable"; it is deprecated.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RFDzvIUCM9FwtpXE&open=AZ04RFDzvIUCM9FwtpXE&pullRequest=1643

Check warning on line 183 in plugins/embeddedjsp/src/main/java/org/apache/struts2/el/lang/ELArithmetic.java

sonarqubecloud / SonarCloud Code Analysis

Remove this call to a deprecated method, it has been marked for removal.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RHDsvIUCM9FwtqZ_&open=AZ04RHDsvIUCM9FwtqZ_&pullRequest=1643

Check failure on line 36 in plugins/osgi/src/main/java/org/apache/struts2/osgi/DelegatingObjectFactory.java

sonarqubecloud / SonarCloud Code Analysis

Make non-static "bundleResourceLoader" transient or serializable.

See more on https://sonarcloud.io/project/issues?id=apache_struts&issues=AZ04RIPSvIUCM9Fwtqpy&open=AZ04RIPSvIUCM9Fwtqpy&pullRequest=1643

View more details on SonarQubeCloud

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6] #1643

Uh oh!

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6] #1643

Uh oh!

Quality Gate failed

Annotations

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

sonarqubecloud / SonarCloud Code Analysis

Re-running checks...

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6] #1643

Are you sure you want to change the base?