Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3100

FN on Rule S2092: Update the implementation to raise on cookie instantiation and setSecure

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.13
    • Component/s: Rules
    • Labels:
      None

      Description

      The current implementation raises the issue on the cookie variable declaration instead of the cookie instantiation or where the "Secure" attribute is set to false. It makes the issue harder to understand when the cookie is instantiated on a different line and creates some false negatives when there is no variable at all.

      Example of false negative. Note that it happens for other cookie APIs too.

      import javax.servlet.http.Cookie; 
      class JavaNet { 
          Cookie httpCookie(HttpServletResponse response) { 
              Cookie cookie = new Cookie("name", "value"); // an issue is raised here 
              response.addCookie(new Cookie("name", "value")); // NO issue raised here 
              return new Cookie("name", "value"); // an issue is raised here
          } 
      } 
      

      When the cookie is a variable, the issue should be raised on the instantiation. See also SONARJAVA-2768 which added the support for cookie initialization separated from the declaration.

      import java.net.HttpCookie;
      
      class JavaNet {
          public HttpCookie getCookie() { return null; }
           
          void httpCookie() {
              HttpCookie cookie = getCookie(); // the issue is raised here
              if (cookie == null) {
                  cookie = new HttpCookie("name", "value");  // issue should be raised here
              }
          }
      }
      

      When the cookie is a parameter and the "secure" attribute is set to false, the issue should be raised where the attribute is set to false.

      import java.net.HttpCookie;
      
      class JavaNet {
          public HttpCookie getCookie() { return null; }
           
          void httpCookie(HttpCookie hc) { // Issue is raised on "hc"
              hc.setSecure(false); // issue should be raised here
          }
      }
      

      Another option is to use Secondary Locations to guide the user.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tibor.blenessy Tibor Blenessy
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: