Find XXE issues with static code analysis

Static code analysis can help identify vulnerabilities in code. A well known tool for static code analysis is SonarQube. When you run a code scan on the source code of WebGoat, you will get something like:

If you select the XXE category it will show you the location of the XXE vulnerability.

The next step is to identify whether this is a true issue or a false positive. As you already know from the challenge exercise, this is a real issue. In this case it is put in intentionally.

SonarQube also shows you what you could do to fix this.

If you click on the red button above, you can try to do the XXE challenges again and you will notice that the vulnerabilities are mitigated.