fix vulnerability identified by Sonar

JIRA: TRNSPRTPCE-193
Signed-off-by: guillaume.lambert <guillaume.lambert@orange.com>
Change-Id: Ifce9b71e5c9233145188107586428039f38b1c16

diff --git a/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java b/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java
index 90efeca088cdea7b68df5499dbf871b88785fd1a..a83fa3787111cd5b23abdb079762c7f0172e5c79 100644 (file)
--- a/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java
+++ b/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java
@@ -58,6 +58,9 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter {
     private XMLDataObjectConverter(SchemaContext schemaContext, BindingNormalizedNodeSerializer codecRegistry) {
         super(schemaContext, codecRegistry);
         this.xmlInputFactory = XMLInputFactory.newInstance();
+        // set external DTD and schema to null to avoid vulnerability (sonar report)
+        this.xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        this.xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
     }
 
     /**