Refactor XML parsing to use safer document builders in multiple classes

[YLChen-007]

Description

the improvement patch for #12120

[shwstppr]

code change LGTM

[codecov]

Codecov Report

❌ Patch coverage is 14.28571% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.17%. Comparing base (e90e436) to head (c57fd05).
⚠️ Report is 8 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...ava/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java	0.00%	11 Missing ⚠️
...r/src/main/java/com/cloud/test/DatabaseConfig.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #12129      +/-   ##
============================================
- Coverage     16.18%   16.17%   -0.01%     
+ Complexity    13305    13298       -7     
============================================
  Files          5657     5657              
  Lines        498466   498470       +4     
  Branches      60491    60493       +2     
============================================
- Hits          80696    80651      -45     
- Misses       408789   408846      +57     
+ Partials       8981     8973       -8     

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	17.03% <14.28%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

code lgtm

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[Copilot]

Pull request overview

This PR refactors XML parsing across multiple classes to use safer document builders from ParserUtils instead of directly instantiating parser factories. This addresses security concerns related to XML External Entity (XXE) attacks mentioned in issue #12120.

Key Changes

• Replaced DocumentBuilderFactory.newInstance() calls with ParserUtils.getSaferDocumentBuilderFactory()
• Replaced SAXParserFactory.newInstance() with ParserUtils.getSaferSAXParserFactory()
• Added necessary imports for ParserUtils in affected classes

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
utils/src/main/java/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java	Updated 10 methods to use safer DocumentBuilderFactory from ParserUtils instead of direct instantiation
server/src/main/java/com/cloud/test/DatabaseConfig.java	Replaced SAXParserFactory instantiation with safer ParserUtils method in doConfig()
plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateVolumeCommandWrapper.java	Updated 2 methods to use safer DocumentBuilderFactory for XML parsing operations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

[Copilot]

The import for ParserUtils is placed between two org.apache.logging.log4j imports, breaking the proper import ordering. Imports should be grouped and sorted alphabetically within their groups. The ParserUtils import should be placed after LogManager import to maintain proper ordering of org.apache.cloudstack and org.apache.logging imports.

Suggested change

	import org.apache.cloudstack.utils.security.ParserUtils;
	import org.apache.logging.log4j.LogManager;
	import org.apache.logging.log4j.LogManager;
	import org.apache.cloudstack.utils.security.ParserUtils;

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15828