The current implementation raises the issue on the cookie variable declaration instead of the cookie instantiation or where the "Secure" attribute is set to false. It makes the issue harder to understand when the cookie is instantiated on a different line and creates some false negatives when there is no variable at all.
Example of false negative. Note that it happens for other cookie APIs too.
When the cookie is a variable, the issue should be raised on the instantiation. See also
SONARJAVA-2768 which added the support for cookie initialization separated from the declaration.
When the cookie is a parameter and the "secure" attribute is set to false, the issue should be raised where the attribute is set to false.
Another option is to use Secondary Locations to guide the user.