"HttpOnly" should be set on cookies rules for xml

Hi all,

I am using SonarQube 6.7.7 and I have a question for rule squid:S3330 “HttpOnly” should be set on cookies.

On our application the HttpOnly attribute is set on web.xml instead on Java file. Could the rule also be applied to the web.xml file?

I am using “[sonarPath]\sonar-scanner-cli-\sonar-scanner-\bin\sonar-scanner.bat -Dsonar.sources=. -Dsonar.projectName=[projectName] -Dsonar.sourceEncoding=UTF-8 -Dsonar.java.binaries=. -Dsonar.projectKey=[projectKey] -Dsonar.projectVersion=[projectVersion]” to analyze my project

Thank you

hello @fanny_tan,

no, currently the rule will analyze only the Java file. I am not sure I understand your request, are you seeing false-positives because the setting is done in web.xml , or you want to check web.xml and raise issue on it when the setting is missing?

I want to check web.xml and raise issue on it when the setting is missing. Is it possible?

Currently, we don’t have a rule checking for this specific setting. However, I think it can make sense. Can you share some resources which recommend this setting? Isn’t it configured as httpOnly by default?

cc @Alexandre_Gigleux - do you have any opinion on this, I think it’s exactly what you pointed out in your comment here

My opinion is that we should check XML files for not secure configuration. The only remaining decision to take is where do we put such rule? In SonarJava or SonarXML for web.xml? Even if web.xml is related to Java, I would still tend to put the rule in SonarXML and move all XML related rules from SonarJava to SonarXML.