Detecting the introduction of cookies (Cookie compliance initiative)

Hello,
We’re introducing a cookie compliance program to comply with the various legislation throughout the world. It would be amazing if there was a rule that detected the various ways cookies can be set within the various languages and frameworks. Is this a possibility?

Hi @Deep6,

There is already a Security-Hotspot rule that raises whenever a cookie value is set. It’s deprecated and will eventually be removed:
https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-2255

We decided to deprecate this rule for the following reason:

  • It’s a very common practice to set cookies, especially for session variables and therefore the rule is noisy.
  • There is no security good practice to be applied other than setting httponly and secure flags and we already have rules for that.

You mention a cookie compliance program. I suppose you are concerned by the fact that setting cookies could have an impact on user privacy. Could you detail a bit how you would use a rule like S2255 to enforce this compliance program?
It would also help if you could detail the legislation you want to comply to.

Thank you

1 Like

Hi Pierre-Loup,
I’m very aware of the purpose of cookies, and the flags required to secure cookies, this is solely to have a safety net for our legal/compliance dept, to be aware of any cookies that are set across the various languages we use.

We have compliance around the requirement for consent of cookies for GDPR, but CPRA is on the horizon as well.

Ideally we’d like to trigger an email on the identification of a new cookie being introduced, even better would be the ability to inject the new cookie into our One Trust platform via an API.
Does this help?

Hi,

SonarSource products focus on helping developer for their code quality and security. As of today we have no plan to create rules specifically for legal/compliance requirement.

Thank you for your suggestion.

2 Likes