Remove "<!DOCTYPE ...>" line from generated Cobertura XML

sebastianbergmann · sebastianbergmann · commit 7ac17ae89e9f · 2026-04-04T07:38:00.000+02:00
The DOCTYPE declaration referenced a remote DTD URL. This is problematic because XML parsers may attempt to fetch the DTD over the network, causing timeouts or failures when the remote server is unavailable. No common consumer of Cobertura XML (GitLab CI, Jenkins, Codecov, etc.) performs DTD validation; they only parse elements and attributes. Furthermore, the referenced URL is no longer valid.
diff --git a/ChangeLog-14.0.md b/ChangeLog-14.0.md
@@ -2,6 +2,12 @@
 
 All notable changes are documented in this file using the [Keep a CHANGELOG](http://keepachangelog.com/) principles.
 
+## [14.0.1] - 2026-MM-DD
+
+### Changed
+
+* The XML document of the code coverage report in Cobertura XML format no longer has the `<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">` line at the beginning. No document exists at this URL any more, referencing remote DTD URLs is problematic, and no common consumer of Cobertura XML relies on this line.
+
 ## [14.0.0] - 2026-04-03
 
 ### Added
@@ -28,4 +34,5 @@ All notable changes are documented in this file using the [Keep a CHANGELOG](htt
 
 * The `SebastianBergmann\CodeCoverage\Report\PHP` class was removed, use the new `SebastianBergmann\CodeCoverage\Serializer` class instead
 
+[14.0.1]: https://github.com/sebastianbergmann/php-code-coverage/compare/14.0.0...main
 [14.0.0]: https://github.com/sebastianbergmann/php-code-coverage/compare/13.0.2...14.0.0
diff --git a/src/Report/Cobertura.php b/src/Report/Cobertura.php
@@ -16,7 +16,7 @@
 use function range;
 use function str_replace;
 use function time;
-use DOMImplementation;
+use DOMDocument;
 use SebastianBergmann\CodeCoverage\Node\Directory;
 use SebastianBergmann\CodeCoverage\Node\File;
 use SebastianBergmann\CodeCoverage\Util\Filesystem;
@@ -39,17 +39,7 @@ public function process(Directory $report, ?string $target = null): string
     {
         $time = (string) time();
 
-        $implementation = new DOMImplementation;
-
-        $documentType = $implementation->createDocumentType(
-            'coverage',
-            '',
-            'http://cobertura.sourceforge.net/xml/coverage-04.dtd',
-        );
-
-        $document             = $implementation->createDocument('', '', $documentType);
-        $document->xmlVersion = '1.0';
-        $document->encoding   = 'UTF-8';
+        $document             = new DOMDocument('1.0', 'UTF-8');
 
         $coverageElement = $document->createElement('coverage');
 
diff --git a/tests/_files/Report/Cobertura/BankAccount-line.xml b/tests/_files/Report/Cobertura/BankAccount-line.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">
 <coverage line-rate="0.625" branch-rate="0" lines-covered="5" lines-valid="8" branches-covered="0" branches-valid="0" complexity="5" version="0.4" timestamp="%i">
   <sources>
     <source>%s</source>
diff --git a/tests/_files/Report/Cobertura/BankAccount-path.xml b/tests/_files/Report/Cobertura/BankAccount-path.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">
 <coverage line-rate="0.625" branch-rate="0.42857142857143" lines-covered="5" lines-valid="8" branches-covered="3" branches-valid="7" complexity="5" version="0.4" timestamp="%i">
   <sources>
     <source>%s</source>
diff --git a/tests/_files/Report/Cobertura/class-with-anonymous-function.xml b/tests/_files/Report/Cobertura/class-with-anonymous-function.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">
 <coverage line-rate="1" branch-rate="0" lines-covered="8" lines-valid="8" branches-covered="0" branches-valid="0" complexity="1" version="0.4" timestamp="%i">
   <sources>
     <source>%s</source>
diff --git a/tests/_files/Report/Cobertura/class-with-outside-function.xml b/tests/_files/Report/Cobertura/class-with-outside-function.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">
 <coverage line-rate="0.75" branch-rate="0" lines-covered="3" lines-valid="4" branches-covered="0" branches-valid="0" complexity="3" version="0.4" timestamp="%i">
   <sources>
     <source>%s</source>
diff --git a/tests/_files/Report/Cobertura/ignored-lines.xml b/tests/_files/Report/Cobertura/ignored-lines.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">
 <coverage line-rate="1" branch-rate="0" lines-covered="1" lines-valid="1" branches-covered="0" branches-valid="0" complexity="2" version="0.4" timestamp="%i">
   <sources>
     <source>%s</source>

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`<?xml version="1.0" encoding="UTF-8"?>`
`2`		`-<!DOCTYPE coverage SYSTEM "http://cobertura.sourceforge.net/xml/coverage-04.dtd">`
`3`	`2`	`<coverage line-rate="0.625" branch-rate="0" lines-covered="5" lines-valid="8" branches-covered="0" branches-valid="0" complexity="5" version="0.4" timestamp="%i">`
`4`	`3`	`<sources>`
`5`	`4`	`<source>%s</source>`