fix: split cookie rules

rules/go/gorilla/cookie_missing_http_only.yml

@@ -0,0 +1,95 @@
+patterns:
+  - pattern: $<SESSION>
+    filters:
+      - variable: SESSION
+        detection: go_gorilla_cookie_missing_http_only_session
+        scope: cursor_strict
+      - not:
+          variable: SESSION
+          detection: go_gorilla_cookie_missing_http_only_http_only_true
+          scope: cursor_strict
+auxiliary:
+  - id: go_gorilla_cookie_missing_http_only_sessions_init
+    patterns:
+      - import $<!>"github.com/gorilla/sessions"
+      - |
+        import (
+          $<!>"github.com/gorilla/sessions"
+        )
+  - id: go_gorilla_cookie_missing_http_only_true
+    patterns:
+      - "true"
+  - id: go_gorilla_cookie_missing_http_only_http_only_true
+    patterns:
+      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_gorilla_cookie_missing_http_only_true
+            scope: cursor
+  - id: go_gorilla_cookie_missing_http_only_session
+    patterns:
+      - pattern: $<SESSION>.Options{}
+        filters:
+          - variable: SESSION
+            detection: go_gorilla_cookie_missing_http_only_sessions_init
+            scope: cursor
+languages:
+  - go
+metadata:
+  description: "Missing 'HttpOnly' option in cookie configuration."
+  remediation_message: |
+    ## Description
+
+    When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values.
+    By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.
+
+    It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
+
+    ## Remediations
+
+    To ensure that cookies, particularly session cookies, are secure:
+
+    ✅ Configure HttpOnly
+
+    Set the `HttpOnly` attribute to `true` within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.
+
+    ```go
+    import (
+        "github.com/gorilla/sessions"
+        "net/http"
+    )
+
+    var store = sessions.NewCookieStore([]byte("your-secret-key"))
+
+    func MyHandler(w http.ResponseWriter, r *http.Request) {
+        // Get a session. We're ignoring the error resulted from decoding an
+        // existing session: Get() always returns a session, even if empty.
+        session, _ := store.Get(r, "session-name")
+        // Set some session values.
+        session.Values["foo"] = "bar"
+        // Set the session to be HttpOnly.
+        session.Options.HttpOnly = true
+        // Save changes.
+        session.Save(r, w)
+    }
+    ```
+
+    ✅ Leverage Gorilla SecureCookie
+
+    Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.
+
+    ✅ Implement Strong Session Management
+
+    Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.
+
+    ## Resources
+
+    - [Gorilla Sessions Documentation](http://www.gorillatoolkit.org/pkg/sessions)
+    - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+    - [OWASP Cookies Properties](https://owasp.org/www-community/controls/SecureCookieAttribute)
+
+  cwe_id:
+    - 1004
+  id: go_gorilla_cookie_missing_http_only
+  documentation_url: https://docs.bearer.com/reference/rules/go_gorilla_cookie_missing_http_only
+  cloud_code_suggestions: true

rules/go/gorilla/insecure_cookie.yml

@@ -4,15 +4,10 @@ patterns:
       - variable: SESSION
         detection: go_gorilla_insecure_cookie_session
         scope: cursor_strict
-      - either:
-          - not:
-              variable: SESSION
-              detection: go_gorilla_insecure_cookie_http_only_true
-              scope: cursor_strict
-          - not:
-              variable: SESSION
-              detection: go_gorilla_insecure_cookie_secure_true
-              scope: cursor_strict
+      - not:
+          variable: SESSION
+          detection: go_gorilla_insecure_cookie_secure_true
+          scope: cursor_strict
 auxiliary:
   - id: go_gorilla_insecure_cookie_sessions_init
     patterns:
@@ -31,13 +26,6 @@ auxiliary:
           - variable: "TRUE"
             detection: go_gorilla_insecure_cookie_true
             scope: cursor
-  - id: go_gorilla_insecure_cookie_http_only_true
-    patterns:
-      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
-        filters:
-          - variable: "TRUE"
-            detection: go_gorilla_insecure_cookie_true
-            scope: cursor
   - id: go_gorilla_insecure_cookie_session
     patterns:
       - pattern: $<SESSION>.Options{}
@@ -48,41 +36,19 @@ auxiliary:
 languages:
   - go
 metadata:
-  description: "Missing secure options for cookie detected."
+  description: "Missing 'Secure' option in cookie configuration."
   remediation_message: |
     ## Description
 
-    Cookies are a critical component of web session management. However, improperly secured cookies can expose your application to attacks, such as session hijacking and cross-site scripting (XSS). It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
+    When set to "true", the "Secure" attribute ensures that a client will only send the cookie to the server when HTTPS is being used.
+    This prevents the cookie from being observed by unauthorized third parties.
+
+    It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
 
     ## Remediations
 
     To ensure that cookies, particularly session cookies, are secure:
 
-    ✅ Configure HttpOnly
-
-    Set the `HttpOnly` attribute to `true` within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.
-
-    ```go
-    import (
-        "github.com/gorilla/sessions"
-        "net/http"
-    )
-
-    var store = sessions.NewCookieStore([]byte("your-secret-key"))
-
-    func MyHandler(w http.ResponseWriter, r *http.Request) {
-        // Get a session. We're ignoring the error resulted from decoding an
-        // existing session: Get() always returns a session, even if empty.
-        session, _ := store.Get(r, "session-name")
-        // Set some session values.
-        session.Values["foo"] = "bar"
-        // Set the session to be HttpOnly.
-        session.Options.HttpOnly = true
-        // Save changes.
-        session.Save(r, w)
-    }
-    ```
-
     ✅ Set Secure Flag
 
     If your site is served over HTTPS, also set the `Secure` flag on the cookie to ensure it's transmitted over secure channels only.
@@ -102,7 +68,6 @@ metadata:
     - [OWASP Cookies Properties](https://owasp.org/www-community/controls/SecureCookieAttribute)
 
   cwe_id:
-    - 1004
     - 614
   id: go_gorilla_insecure_cookie
   documentation_url: https://docs.bearer.com/reference/rules/go_gorilla_insecure_cookie

rules/go/lang/cookie_missing_http_only.yml

@@ -0,0 +1,72 @@
+patterns:
+  - pattern: $<COOKIE>
+    filters:
+      - variable: COOKIE
+        detection: go_lang_cookie_missing_http_only_http_cookie
+        scope: cursor_strict
+      - not:
+          variable: COOKIE
+          detection: go_lang_cookie_missing_http_only_true
+          scope: cursor_strict
+auxiliary:
+  - id: go_lang_cookie_missing_http_only_cookie_init
+    patterns:
+      - import $<!>"net/http"
+      - |
+        import (
+          $<!>"net/http"
+        )
+  - id: go_lang_cookie_missing_http_only_true
+    patterns:
+      - "true"
+  - id: go_lang_cookie_missing_http_only_http_cookie
+    patterns:
+      - pattern: $<HTTP>.Cookie{}
+        filters:
+          - variable: HTTP
+            detection: go_lang_cookie_missing_http_only_cookie_init
+            scope: cursor
+  - id: go_lang_cookie_missing_http_only_http_only_true
+    patterns:
+      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_lang_cookie_missing_http_only_true
+            scope: cursor
+languages:
+  - go
+metadata:
+  description: "Missing secure options for cookie detected."
+  remediation_message: |
+    ## Description
+
+    When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values.
+    By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.
+
+    ## Remediations
+
+    To enhance cookie security and protect against common web exploits:
+
+    ✅ Set the `HttpOnly` attribute for cookies to `true`. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.
+
+    ```go
+    http.SetCookie(w, &http.Cookie{
+        Name:     "session_token",
+        Value:    sessionToken,
+        HttpOnly: true, // Secure the cookie from client-side scripts
+        // Additional flags like Secure, SameSite, etc., should be set as needed.
+    })
+    ```
+
+    ✅ Alongside `HttpOnly`, consider setting `Secure`, `SameSite`, and `Domain` attributes to further secure cookies based on your application’s requirements.
+
+    ## Resources
+
+    For best practices on setting cookies securely, explore:
+
+    - [OWASP Secure Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+    - [MDN Web Docs: HttpOnly Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
+  cwe_id:
+    - 1004
+  id: go_lang_cookie_missing_http_only
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_cookie_missing_http_only

rules/go/lang/insecure_cookie.yml

@@ -4,15 +4,10 @@ patterns:
       - variable: COOKIE
         detection: go_lang_insecure_cookie_http_cookie
         scope: cursor_strict
-      - either:
-          - not:
-              variable: COOKIE
-              detection: go_lang_insecure_cookie_secure_true
-              scope: cursor_strict
-          - not:
-              variable: COOKIE
-              detection: go_lang_insecure_cookie_http_only_true
-              scope: cursor_strict
+      - not:
+          variable: COOKIE
+          detection: go_lang_insecure_cookie_true
+          scope: cursor_strict
 auxiliary:
   - id: go_lang_insecure_cookie_cookie_init
     patterns:
@@ -31,45 +26,39 @@ auxiliary:
           - variable: HTTP
             detection: go_lang_insecure_cookie_cookie_init
             scope: cursor
-  - id: go_lang_insecure_cookie_secure_true
+  - id: go_lang_insecure_cookie_true
     patterns:
       - pattern: "$<_>{ Secure: $<TRUE> }"
         filters:
           - variable: "TRUE"
             detection: go_lang_insecure_cookie_true
             scope: cursor
-  - id: go_lang_insecure_cookie_http_only_true
-    patterns:
-      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
-        filters:
-          - variable: "TRUE"
-            detection: go_lang_insecure_cookie_true
-            scope: cursor
 languages:
   - go
 metadata:
   description: "Missing secure options for cookie detected."
   remediation_message: |
     ## Description
 
-    Cookies without proper security settings can be vulnerable to cross-site scripting (XSS) attacks and potentially provide an avenue for unauthorized access to your application.
+    When set to "true", the "Secure" attribute ensures that a client will only send the cookie to the server when HTTPS is being used.
+    This prevents the cookie from being observed by unauthorized third parties.
 
     ## Remediations
 
     To enhance cookie security and protect against common web exploits:
 
-    ✅ **Use HttpOnly Flag**: Set the `HttpOnly` attribute for cookies to `true`. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.
+    ✅ Set the `Secure` attribute for cookies to `true`. This prevents the cookie from being observed by unauthorized third parties.
 
     ```go
     http.SetCookie(w, &http.Cookie{
         Name:     "session_token",
         Value:    sessionToken,
-        HttpOnly: true, // Secure the cookie from client-side scripts
-        // Additional flags like Secure, SameSite, etc., should be set as needed.
+        Secure: true,
+        // Additional flags like HttpOnly, SameSite, etc., should be set as needed.
     })
     ```
 
-    ✅ **Additional Cookie Attributes**: Alongside `HttpOnly`, consider setting `Secure`, `SameSite`, and `Domain` attributes to further secure cookies based on your application’s requirements.
+    ✅ Alongside `Secure`, consider setting `HttpOnly`, `SameSite`, and `Domain` attributes to further secure cookies based on your application’s requirements.
 
     ## Resources
 
@@ -78,7 +67,6 @@ metadata:
     - [OWASP Secure Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
     - [MDN Web Docs: HttpOnly Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
   cwe_id:
-    - 1004
     - 614
   id: go_lang_insecure_cookie
   documentation_url: https://docs.bearer.com/reference/rules/go_lang_insecure_cookie

rules/java/lang/cookie_with_http_only_false.yml

@@ -0,0 +1,39 @@
+imports:
+  - java_shared_lang_instance
+patterns:
+  - pattern: $<COOKIE>.setHttpOnly($<FALSE>)
+    filters:
+      - variable: COOKIE
+        detection: java_shared_lang_instance
+        scope: cursor
+        filters:
+          - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+            regex: \A(javax\.servlet\.http\.)?Cookie\z
+      - variable: "FALSE"
+        detection: java_lang_cookie_with_http_only_false_false
+        scope: cursor
+auxiliary:
+  - id: java_lang_cookie_with_http_only_false_false
+    patterns:
+      - "false;"
+languages:
+  - java
+metadata:
+  description: "Missing secure options for cookie detected."
+  remediation_message: |
+    ## Description
+
+    To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
+
+    ## Remediations
+
+    ✅ Set `HttpOnly` to `true` to protect the cookie value from being accessed by client side JavaScript
+
+    ```java
+    cookie.setHttpOnly(true);
+    ```
+  cwe_id:
+    - 1004
+  id: java_lang_cookie_with_http_only_false
+  documentation_url: https://docs.bearer.com/reference/rules/java_lang_cookie_with_http_only_false
+  cloud_code_suggestions: true