Merge pull request #7240 from smowton/smowton/admin/derecognise-xxe-secure-processing

Note that FEATURE_SECURE_PROCESSING isn't a sufficient defence against XXE

java/ql/lib/semmle/code/java/security/XmlParsers.qll

@@ -159,15 +159,6 @@ private class ConstantStringExpr extends Expr {
 Expr singleSafeConfig() {
   result.(ConstantStringExpr).getStringValue() =
     "http://apache.org/xml/features/disallow-doctype-decl"
-  or
-  result.(ConstantStringExpr).getStringValue() =
-    "http://javax.xml.XMLConstants/feature/secure-processing"
-  or
-  exists(Field f |
-    result = f.getAnAccess() and
-    f.hasName("FEATURE_SECURE_PROCESSING") and
-    f.getDeclaringType().hasQualifiedName("javax.xml", "XMLConstants")
-  )
 }
 
 /**