Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3197

Rule S3330 should report on "setHttpOnly" method when set to "false" and not when initialized


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.14
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:


      In the following code snippet, implementation of RSPEC-3330 raises an issue on line 5 while there is nothing wrong on this cookie creation.
      The problem is located on line 8 where the method setHttpOnly is called with the argument false.
      In this context, the issue is expected on line 8.

      S3330 should raise an issue if:

      • the cookie is created and there is not call to setHttpOnly in the containing method
      • or the cookie is created and there is a call to setHttpOnly with false as argument

      The issue is correctly reported for S2092 checking the Secure flag.

      Note that S3330 was changed from Security Vulnerability to Security Hotspot.

      import javax.servlet.http.Cookie;
      class A {
        void foo() {
          Cookie c = new Cookie("test", "eric"); // actual issue S3330
          System.out.println("secure: " + c.getSecure());
          c.setHttpOnly(false); // S3330 should raise issue here
          c.setSecure(false); // True Positive (TP) S2092


          Issue Links



              • Assignee:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: