-
Notifications
You must be signed in to change notification settings - Fork 724
SONARJAVA-6522 Don't raise S2092 for deletion cookies #5785
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
nils-werner-sonarsource
merged 7 commits into
master
from
sonarjava-6522-cookie-deletion-pattern
Jul 14, 2026
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
f6ffe5f
SONARJAVA-6522 Don't raise S2092 for deletion cookies
nils-werner-sonarsource c92e90e
SONARJAVA-6522 Update autoscan golden diffs for S2092
nils-werner-sonarsource b3b5f3b
SONARJAVA-6522 Fix deletion-chain detection for maxAge() after secure()
nils-werner-sonarsource 2cf009b
SONARJAVA-6522 Add context comments to new deletion-cookie methods
nils-werner-sonarsource ee398a5
SONARJAVA-6522 Fix deletion suppression for explicit setSecure(false)
nils-werner-sonarsource 31d3c5c
SONARJAVA-6522 Add coverage for non-identifier receiver and non-liter…
nils-werner-sonarsource bafc692
SONARJAVA-6522 Guard VariableSymbol cast, update autoscan golden diff
nils-werner-sonarsource File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| { | ||
| "ruleKey": "S2092", | ||
| "hasTruePositives": true, | ||
| "falseNegatives": 96, | ||
| "falseNegatives": 99, | ||
| "falsePositives": 0 | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This suppresses the wrong path for the servlet/JAX-RS Cookie case.
isDeletionCookieChain(per its own javadoc) only recognizes the SpringResponseCookiefluent-chain pattern — it walks receiverMethodInvocationTrees. Forcookie.setSecure(false)wherecookieis a plain identifier, the receiver is anIdentifierTree, so the loop inisDeletionCookieChainnever executes and it always returnsfalse.!isDeletionCookieChain(mit)is therefore alwaystruehere, and this line unconditionally reports wheneversecure(false)is a literal — regardless of whether the cookie is a deletion cookie.The
deletionCandidateCookies/checkMaxAgeCallmechanism only removes the entry fromcookieConstructors, which is consulted only inleaveFile()(for cookies that were never explicitly secured). It's never consulted here.Repro — this is the ticket's own second compliant example:
Running
SecureCookieCheckagainst this still raises S2092 on thecookie.setSecure(false)line. Verified with both call orders (setMaxAge(0)before and aftersetSecure(false)) — same result both times, so it's not an ordering issue.None of the new sample cases added in this PR call
.setSecure(false)explicitly (they only rely on the never-explicitly-secured constructor path), so this gap has no test coverage.Suggested fix: this method needs to also check
deletionCandidateCookiesfor the receiver's symbol (likecheckMaxAgeCalldoes) before reporting, not just rely on the Spring-chain check.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch — confirmed and fixed.
isDeletionCookieChainwas indeed Spring-chain-only; the servlet/JAX-RSCookieexplicitsetSecure(false)case never consulteddeletionCandidateCookiesat all.Fixed by deferring the report decision to
leaveFile()for deletion-candidate variables:setMaxAge(0)sightings are now recorded in a plain, never-removed fact set, so the check no longer cares whethersetMaxAge(0)comes before or aftersetSecure(false)in the method. Added test coverage for both statement orders (including your exact repro) plus the still-raises case with nosetMaxAgecall at all.