Taking a closer look at SonarQube it seems that many of the rules are disabled for Orekit.[1] In particular I think we should enable “Untrusted XML should be parsed with a local, static DTD” since that has been an issue in the past.
[1] https://sonar.orekit.org/profiles/compare?language=java&name=Orekit&withKey=AW3PZw6mbtI3m42M7Qi4