Skip to content

SONARJAVA-6245 Update rules metadata#5559

Merged
leonardo-pilastri-sonarsource merged 2 commits intomasterfrom
update-rule-metadata
Apr 9, 2026
Merged

SONARJAVA-6245 Update rules metadata#5559
leonardo-pilastri-sonarsource merged 2 commits intomasterfrom
update-rule-metadata

Conversation

@leonardo-pilastri-sonarsource
Copy link
Copy Markdown
Contributor

@leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource commented Apr 9, 2026

No description provided.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod bot changed the title Update rules metadata SONARJAVA-6245 Update rules metadata Apr 9, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

hashicorp-vault-sonar-prod bot commented Apr 9, 2026
edited by atlassian bot
Loading

SONARJAVA-6245

@sonar-review-alpha
Copy link
Copy Markdown
Contributor

sonar-review-alpha bot commented Apr 9, 2026
edited
Loading

Summary

This PR updates rule S2092 (secure cookie flag) metadata to align with current SonarSource standards:

Key changes:

  • Rule classification: Changed from SECURITY_HOTSPOT to VULNERABILITY in the JSON metadata
  • Documentation restructure: Converted rule description HTML from legacy format (Ask Yourself Whether / Recommended Practices) to modern format (Why is this an issue? / Potential impact / How to fix it)
  • Content improvements: Added detailed explanation of session hijacking risks, improved code examples with diff markup (data-diff-id/data-diff-type), and changed terminology from "Sensitive Code Example" to "Noncompliant code example" to match current conventions
  • Title refinement: Simplified rule title from "Creating cookies without the "secure" flag is security-sensitive" to "Cookies should have the "secure" flag"
  • Metadata cleanup: JSON formatting adjustment and timestamp update

The changes modernize the rule presentation without altering the core detection logic or severity assessment.

What reviewers should know

What to review:

  1. Type change impact: The S2092 rule type changed from SECURITY_HOTSPOT to VULNERABILITY. Verify this classification change is intentional and doesn't affect how the rule is processed by SonarQube.

  2. HTML documentation: Check that the restructured rule description is clearer and the new format (with diff markup in code examples) renders correctly in SonarQube.

  3. Breaking changes: Confirm that changing from SECURITY_HOTSPOT to VULNERABILITY doesn't break any existing integrations, dashboards, or rule filtering logic that depends on the old type.

  4. Metadata consistency: The JSON formatting moves quickfix earlier in the structure—verify this doesn't affect parsing or tooling that depends on JSON field order.

No logic changes—this is purely metadata and documentation updates.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

tomasz-tylenda-sonarsource
tomasz-tylenda-sonarsource requested changes Apr 9, 2026
View reviewed changes
Comment thread sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html Outdated
@sonarqube-next
Copy link
Copy Markdown

sonarqube-next bot commented Apr 9, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource merged commit 4a37dfe into master Apr 9, 2026
16 of 17 checks passed
@leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource deleted the update-rule-metadata branch April 9, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomasz-tylenda-sonarsource tomasz-tylenda-sonarsource tomasz-tylenda-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leonardo-pilastri-sonarsource @tomasz-tylenda-sonarsource