mcp-server-semgrep/semgrep-rules/java/lang/security/audit/cookie-missing-httponly.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: cookie-missing-httponly
  metadata:
    cwe:
    - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
    owasp:
    - A05:2021 - Security Misconfiguration
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE
    asvs:
      section: 'V3: Session Management Verification Requirements'
      control_id: 3.4.2 Missing Cookie Attribute
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management
      version: '4'
    category: security
    technology:
    - java
    references:
    - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  message: >-
    A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag
    for cookies instructs the browser to forbid client-side scripts from reading the
    cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'
  severity: WARNING
  languages: [java]
  patterns:
  - pattern-not-inside: $COOKIE.setValue(""); ...
  - pattern-either:
    - pattern: $COOKIE.setHttpOnly(false);
    - patterns:
      - pattern-not-inside: $COOKIE.setHttpOnly(...); ...
      - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ...
      - pattern: $RESPONSE.addCookie($COOKIE);