SONARJAVA-6245 Update rules metadata (#5559)

leonardo-pilastri-sonarsource · web-flow · commit 4a37dfe52fd8 · 2026-04-09T16:34:02.000+02:00
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.html
@@ -1,35 +1,39 @@
 <p>When a cookie is protected with the <code>secure</code> attribute set to <em>true</em> it will not be send by the browser over an unencrypted HTTP
 request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication.</li>
-  <li>it’s not sure that the website contains <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">mixed content</a> or not
-  (ie HTTPS everywhere or not)</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>It is recommended to use <code>HTTPs</code> everywhere so setting the <code>secure</code> flag to <em>true</em> should be the default behaviour
-  when creating cookies.</li>
-  <li>Set the <code>secure</code> flag to <em>true</em> for session-cookies.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
+<h2>Why is this an issue?</h2>
+<p>When a cookie is created without the <code>secure</code> attribute set to <code>true</code>, browsers will transmit it over unencrypted HTTP
+connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value
+in cleartext.</p>
+<h3>What is the potential impact?</h3>
+<h4>Session hijacking</h4>
+<p>If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid
+session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that
+primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.</p>
+<h2>How to fix it in Servlet</h2>
+<p>Call <code>setSecure(true)</code> on the <code>Cookie</code> object to ensure it is only transmitted over HTTPS.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
 <p>If you create a security-sensitive cookie in your JAVA code:</p>
-<pre>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 Cookie c = new Cookie(COOKIENAME, sensitivedata);
-c.setSecure(false);  // Sensitive: a security-ensitive cookie is created with the secure flag set to false
+c.setSecure(false);  // Noncompliant
 </pre>
 <p>By default the <a href="https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)"><code>secure</code></a> flag is set
 to <em>false:</em></p>
-<pre>
-Cookie c = new Cookie(COOKIENAME, sensitivedata);  // Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)
+<pre data-diff-id="2" data-diff-type="noncompliant">
+Cookie c = new Cookie(COOKIENAME, sensitivedata);  // Noncompliant: cookies are created by default without a secure flag
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+Cookie c = new Cookie(COOKIENAME, sensitivedata);
+c.setSecure(true);
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<pre data-diff-id="2" data-diff-type="compliant">
 Cookie c = new Cookie(COOKIENAME, sensitivedata);
-c.setSecure(true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag set to true
+c.setSecure(true);
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
   <li>OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a></li>
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json
@@ -1,6 +1,7 @@
 {
-  "title": "Creating cookies without the \"secure\" flag is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Cookies should have the \"secure\" flag",
+  "type": "VULNERABILITY",
+  "quickfix": "unknown",
   "code": {
     "impacts": {
       "SECURITY": "LOW"
@@ -49,6 +50,5 @@
     "STIG ASD_V5R3": [
       "V-222576"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }
diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2026-03-12T13:07:16.598544876Z",
+  "latest-update": "2026-04-09T13:46:03.313330Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`{`
`2`		`- "title": "Creating cookies without the \"secure\" flag is security-sensitive",`
`3`		`- "type": "SECURITY_HOTSPOT",`
	`2`	`+ "title": "Cookies should have the \"secure\" flag",`
	`3`	`+ "type": "VULNERABILITY",`
	`4`	`+ "quickfix": "unknown",`
`4`	`5`	`"code": {`
`5`	`6`	`"impacts": {`
`6`	`7`	`"SECURITY": "LOW"`
`@@ -49,6 +50,5 @@`
`49`	`50`	`"STIG ASD_V5R3": [`
`50`	`51`	`"V-222576"`
`51`	`52`	`]`
`52`		`- },`
`53`		`- "quickfix": "unknown"`
	`53`	`+ }`
`54`	`54`	`}`