SonarScanner for MsBuild ignores Web.config for S3330(HttpOnly of cookies)


  1. SonarQube 7.5
  2. SonarScanner for MsBuild 4.6.2
  3. SonarC# 7.10

SonarQube has raised a vulnerability that my cookies have HttpOnly set to false which is an accurate statement looking at the code only. But in fact, I have

<httpCookies httpOnlyCookies="true" />

in my Web.config which makes all custom cookies http-only. So far my understanding is that it’s by design and SonarScanner for MsBuild simply ignores *.config files. But in general, I believe it’s a false positive and/or an improvement.

1 Like

We have the Developer Edition Version 8.2 (build 32929) and it does this as well.

Hello @lwm and @Nathaniel_Jones

Welcome to the community @lwm !

Thanks for this relevant report.

For the moment, you are right, we don’t analyze web.config file.
We will see if we can handle this and get back to you in few weeks.

Temporary, you can mark this security-hotspot as “safe” in SonarQube or explicitely change the code to a compliant solution known by SonarQube:

HttpCookie MyCookie = new HttpCookie("MyCookie");
MyCookie.HttpOnly = true; // Compliant


Thank you, @eric.therond, for the prompt response. I will go the proposed way so far. Looking forward to news

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.