diff --git a/java/change-notes/2021-05-12-xxe-fp-fix.md b/java/change-notes/2021-05-12-xxe-fp-fix.md
new file mode 100644
index 00000000000..dd42bc71256
--- /dev/null
+++ b/java/change-notes/2021-05-12-xxe-fp-fix.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.
diff --git a/java/ql/src/semmle/code/java/security/XmlParsers.qll b/java/ql/src/semmle/code/java/security/XmlParsers.qll
index 685c5754fc9..5e2eb1caf8a 100644
--- a/java/ql/src/semmle/code/java/security/XmlParsers.qll
+++ b/java/ql/src/semmle/code/java/security/XmlParsers.qll
@@ -36,7 +36,10 @@ abstract class ParserConfig extends MethodAccess {
    */
   predicate disables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = false
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = false or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "FALSE")
+    )
   }
 
   /**
@@ -44,7 +47,10 @@ abstract class ParserConfig extends MethodAccess {
    */
   predicate enables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = true
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = true or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "TRUE")
+    )
   }
 }