Unrecognized feature http://apache.org/xml/features/disallow-doctype-decl

[hazemkmammu]

Describe the bug Getting org.xml.sax.SAXNotRecognizedException: unrecognized feature http://apache.org/xml/features/disallow-doctype-decl when analyzing several different dependencies.

Version of dependency-check used The problem occurs using version 5.3.2.1 of the gradle plugin

Log file

2020-08-21T17:52:43.911+0530 [DEBUG] [org.owasp.dependencycheck.AnalysisTask] Begin Analysis of 'C:\Users\hmu\.gradle\caches\modules-2\files-2.1\log4j\log4j\1.2.17\5af35056b4d257e4b64b9e8069c0746e8b08629f\log4j-1.2.17.jar' (Jar Analyzer)
2020-08-21T17:52:43.925+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Reading pom entry: META-INF/maven/org.slf4j/slf4j-log4j12/pom.xml
2020-08-21T17:52:43.925+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Reading pom entry: META-INF/maven/org.slf4j/slf4j-api/pom.xml
2020-08-21T17:52:43.931+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Read pom.properties: META-INF/maven/org.slf4j/slf4j-api/pom.properties
2020-08-21T17:52:43.931+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Read pom.properties: META-INF/maven/org.slf4j/slf4j-log4j12/pom.properties
2020-08-21T17:52:43.953+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Reading pom entry: META-INF/maven/log4j/log4j/pom.xml
2020-08-21T17:52:43.953+0530 [DEBUG] [org.owasp.dependencycheck.analyzer.JarAnalyzer] Read pom.properties: META-INF/maven/log4j/log4j/pom.properties
2020-08-21T17:52:43.994+0530 [DEBUG] [org.owasp.dependencycheck.xml.pom.PomParser] 
org.xml.sax.SAXNotRecognizedException: unrecognized feature http://apache.org/xml/features/disallow-doctype-decl
    at org.gjt.xpp.sax2.Driver.setFeature(Driver.java:178)
    at org.gjt.xpp.jaxp11.SAXParserImpl.setFeatures(SAXParserImpl.java:149)
    at org.gjt.xpp.jaxp11.SAXParserImpl.<init>(SAXParserImpl.java:132)
    at org.gjt.xpp.jaxp11.SAXParserFactoryImpl.newSAXParserImpl(SAXParserFactoryImpl.java:114)
    at org.gjt.xpp.jaxp11.SAXParserFactoryImpl.setFeature(SAXParserFactoryImpl.java:142)
    at org.owasp.dependencycheck.utils.XmlUtils.buildSecureSaxParser(XmlUtils.java:151)
    at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:111)
    at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:67)
    at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:431)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:312)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

2020-08-21T17:52:44.000+0530 [DEBUG] [org.owasp.dependencycheck.AnalysisTask] Begin Analysis of 'C:\Users\hmu\.gradle\caches\modules-2\files-2.1\commons-io\commons-io\2.4\b1b6ea3b7e4aa4f492509a4952029cd8e48019ad\commons-io-2.4.jar' (Jar Analyzer)
2020-08-21T17:52:43.996+0530 [WARN] [org.owasp.dependencycheck.xml.pom.PomUtils] Unable to parse pom 'C:\Users\hmu\AppData\Local\Temp\dctemp29cc1b9c-e0eb-4895-958a-956cd02cf3ea\check4341577059632597506tmp\2\pom.xml'
2020-08-21T17:52:44.016+0530 [DEBUG] [org.owasp.dependencycheck.xml.pom.PomUtils] 
org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXNotRecognizedException: unrecognized feature http://apache.org/xml/features/disallow-doctype-decl
    at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:125)
    at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:67)
    at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:431)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:312)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: org.xml.sax.SAXNotRecognizedException: unrecognized feature http://apache.org/xml/features/disallow-doctype-decl
    at org.gjt.xpp.sax2.Driver.setFeature(Driver.java:178)
    at org.gjt.xpp.jaxp11.SAXParserImpl.setFeatures(SAXParserImpl.java:149)
    at org.gjt.xpp.jaxp11.SAXParserImpl.<init>(SAXParserImpl.java:132)
    at org.gjt.xpp.jaxp11.SAXParserFactoryImpl.newSAXParserImpl(SAXParserFactoryImpl.java:114)
    at org.gjt.xpp.jaxp11.SAXParserFactoryImpl.setFeature(SAXParserFactoryImpl.java:142)
    at org.owasp.dependencycheck.utils.XmlUtils.buildSecureSaxParser(XmlUtils.java:151)
    at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:111)
    ... 11 more

To Reproduce Add compile group: 'commons-io', name: 'commons-io', version: '2.4' or compile group: 'log4j', name: 'log4j', version: '1.2.17'

Additional context Gradle version 6.5.1

[mprins]

it seems your JVM or the Sax parser that has ended up in your classpath doesn't know about this flag, while it should as it turns of entity expansion for DTD, which is an important security feature.

So the question is what JVM are you using and why you end up with what seems to be an instance of XPP Parser instead of the JVM built-in xml parser

[hazemkmammu]

Thanks for your quick reply. You were absolutely right. It is the XML parser.

We were using dom4j as a buildscript dependency. Dom4j declares optional transitive dependencies in a non gradle compliant fashion. All dom4j dependencies are being pulled. One of the dependencies, pull-parser, checks external XML entities if present on the classpath.

We fixed this by excluding all dom4j dependencies from being pulled until dom4j fix their optional dependency declaration.

class ClearDependencies implements ComponentMetadataRule {
   void execute(ComponentMetadataContext context) {
       context.details.allVariants { withDependencies { clear() } }
   }
}

project.dependencies.components.withModule('org.dom4j:dom4j', ClearDependencies.class)

https://github.com/gradle/gradle/issues/13656 https://github.com/dom4j/dom4j/issues/99