PUGIXML and SonarQube

[SajjadAbidi]

I use PUGIXML in one of our project, when we perform SonarQube analysis on our service, multiple vulnerabilities and Security HotSpots appears.

Is there is any suggestion to address them.

Regards

[zeux]

Unless I'm mistaken, every single "vulnerability" reported by a static analysis toolchain in the last decade in pugixml has been a false positive (there's even a label I had to create for these in issues...). You haven't listed the actual output of the tool but I'd be shocked if any of them are real. You can presumably disable SonarQube analysis on pugixml specifically and/or submit these as bug reports to SonarQube developers.

[SajjadAbidi]

Thank you Zeux for your reply.

It's under securityCategory of buffer-overflow and on strlen function usage at pugixml.cpp