Skip to content

Test suppressions #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
try-panwiac wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Test suppressions #20

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions java/main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,9 @@ void connect(HttpServletRequest req){
class Connector6 {
@javax.jws.WebMethod
void connect(HttpServletRequest req){
javax.servlet.http.Cookie cook = new Cookie("cookie");
cook.setSecure(false);
javax.servlet.http.Cookie cook = new Cookie("cookie"); //another comment
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot May 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Cookie created without HttpOnly flag
    File: main.java | Checkov ID: CKV3_SAST_16

Description

CWE: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
OWASP: A05:2021-Security Misconfiguration

This policy is targeting the creation of HTTP cookies without the "HttpOnly" flag in Java code. The HttpOnly flag is an important security feature that prevents client-side scripts from reading the contents of the cookie. When this flag is not set, it could potentially lead to disclosure of the cookie's contents in the event of a Cross-Site Scripting (XSS) attack.

Here's an example of violating code:

import javax.servlet.http.Cookie;

public class CookieHandler {
    public void createCookie(String name, String value) {
        Cookie cookie = new Cookie(name, value);
        // Other code
    }
}

In this example, a new cookie is created with a provided name and value, but the HttpOnly flag is not set.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot May 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Cookie created without Secure flag set
    File: main.java | Checkov ID: CKV3_SAST_19

Description

CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP: A05:2021-Security Misconfiguration

The policy addresses the issue of creating and setting cookies without the Secure flag. The Secure flag is a directive for the browser, indicating that the cookie should only be sent over secure (HTTPS) connections. If the Secure flag is not set, the cookie may be sent over insecure (HTTP) connections, potentially exposing sensitive information in an environment vulnerable to eavesdropping.

A violating code example could be:

import javax.servlet.http.Cookie;

public class CookieCreator {
    public void createCookie(javax.servlet.http.HttpServletResponse response) {
        Cookie myCookie = new Cookie("name", "value");
        // The cookie is being created without the Secure flag.
        response.addCookie(myCookie);
    }
}

In the above code, a new cookie is being created and added to the HTTP response without setting the Secure flag, thus violating the policy.

cook.setSecure(false); //and another
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot May 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Cookie created without Secure flag set
    File: main.java | Checkov ID: CKV3_SAST_19

Description

CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP: A05:2021-Security Misconfiguration

The policy addresses the issue of creating and setting cookies without the Secure flag. The Secure flag is a directive for the browser, indicating that the cookie should only be sent over secure (HTTPS) connections. If the Secure flag is not set, the cookie may be sent over insecure (HTTP) connections, potentially exposing sensitive information in an environment vulnerable to eavesdropping.

A violating code example could be:

import javax.servlet.http.Cookie;

public class CookieCreator {
    public void createCookie(javax.servlet.http.HttpServletResponse response) {
        Cookie myCookie = new Cookie("name", "value");
        // The cookie is being created without the Secure flag.
        response.addCookie(myCookie);
    }
}

In the above code, a new cookie is being created and added to the HTTP response without setting the Secure flag, thus violating the policy.

//and another
req.addCookie(cook);
}
}
Expand Down