S2092 and S3330 should be adjusted to raise more issues (less FNs):
- For the setcookie() and setrawcookie() functions, both rules are triggered only when the 6th (httpOnly flag = S3330) and the 7th (secure flag = S2092) arguments are explicitly set to false but by default when these arguments are not defined the parameters are set to false::
- So when these arguments are missing the rules should be triggered too.
- Httponly rule (S3330) is currently categorized as a vulnerability but may be considered as a hotspot like secure rule (S2092).
- to be consistent between all the cookie flags.
- because there is a review to do:
- secure flag is mandatory for cookies, it's a best practice to have for all web applications.
- but for dev environment HTTPS may be not implemented
- because there is no direct impact on security (if HTTPS is set the cookie is protected neverless the secure flag set to true or not)
- same thing for httponly, some sites need to set to false this feature (access cookie for client side js)
- and there is no direct impact by setting flag httponly to false