As of now with SonarJava 5.3, S2092 supports only the javax.servlet.http.Cookie class.
S2092 should support these other common Cookie classes:
- java.net.HttpCookie - no relevant constructor; has setSecure method (default is false)
- javax.ws.rs.core.NewCookie - has multiple constructors with secure argument; no relevant setter;
- Apache Shiro has SimpleCookie - no relevant constructor; has setSecure method
- Spring Security SavedCookie - has constructor with secure argument; no relevant setter;
- Play framework has Cookie (has constructor with secure param; no relevant setter) and CookieBuilder (has withSecure method)
For all the above classes, the default value for the secure field is false