SonarQube has raised a vulnerability that my cookies have HttpOnly set to false which is an accurate statement looking at the code only. But in fact, I have
<httpCookies httpOnlyCookies="true" />
in my Web.config which makes all custom cookies http-only. So far my understanding is that it’s by design and SonarScanner for MsBuild simply ignores *.config files. But in general, I believe it’s a false positive and/or an improvement.