When I do scan using fortify tool, I got some issues under "XML External Entity Injection".

TransformerFactory trfactory = TransformerFactory.newInstance(); 

This is the place where it is showing error. I have given the below fix as suggested by fortify

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 

but still the issues are not fixed. How to fix this issue?

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

This would be sufficient.

Sometime it will not work if java version is not compatible.

if (javaVersion > 1.6) {
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      }
else {
        if (javaVersion > 1.5) {
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
        }
else {
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
        }
 }

It worked for me :-)

I tried with "Xalan" implementation class instead of TransformerFactory.newInstance().It worked for me and fortify issue got fixed

        TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
        Transformer transformer = transformerFactoryImpl.newTransformer();

You can also try:

    TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
    Transformer transformer = transformerFactoryImpl.newTransformer();
    transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Add this line. It worked for me.

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);