java.servlets.security.cookie-issecure-false.cookie-issecure-false

rules:
  - id: cookie-issecure-false
    patterns:
      - pattern: |
          $COOKIE = new Cookie(...);
      - pattern-not-inside: |
          $COOKIE = new Cookie(...);
          ...
          $COOKIE.setSecure(true);
    message: "Default session middleware settings: `setSecure` not set to true. This
      ensures that the cookie is sent only over HTTPS to prevent cross-site
      scripting attacks."
    fix-regex:
      regex: setSecure\(false\)
      replacement: setSecure(true)
    metadata:
      vulnerability: Insecure Transport
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://tomcat.apache.org/tomcat-5.5-doc/servletapi/
      category: security
      technology:
        - servlet
        - tomcat
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    severity: WARNING