In the following code snippet, implementation of RSPEC-3330 raises an issue on line 5 while there is nothing wrong on this cookie creation.
The problem is located on line 8 where the method setHttpOnly is called with the argument false.
In this context, the issue is expected on line 8.
S3330 should raise an issue if:
- the cookie is created and there is not call to setHttpOnly in the containing method
- or the cookie is created and there is a call to setHttpOnly with false as argument
The issue is correctly reported for S2092 checking the Secure flag.
Note that S3330 was changed from Security Vulnerability to Security Hotspot.