rspec/rules/S2255/comments-and-links.adoc

=== on 3 Dec 2014, 14:51:04 Ann Campbell wrote:
The goal of this rule is to track the use of cookies. Security auditors can then decide which cookies need attention.

=== on 12 Dec 2014, 20:44:22 Sébastien Gioria wrote:
As a Security auditor, I must said : "you should never store any sensitive information in a cookie". 

=== on 12 Dec 2014, 20:52:16 Ann Campbell wrote:
\[~sebastien.gioria] if you're talking about the title, the current version follows our standards:

X should [not] y

cc [~freddy.mallet]

=== on 12 Dec 2014, 21:09:38 Sébastien Gioria wrote:
\[~ann.campbell.2]: I refer to the Message in the rule : "If the data stored in this cookie is sensitive, it should be encrypted or stored internally in the user session. " 


Message should be : "If the data stored in this cookie is sensitive, it should be stored internally in the user session. "


=== on 15 Dec 2014, 10:32:07 Freddy Mallet wrote:
I agree with [~sebastien.gioria] [~ann.campbell.2], we should remove the "encrypted" option in the remediation action.  

=== on 15 Dec 2014, 14:53:18 Ann Campbell wrote:
Done [~sebastien.gioria]

cc [~freddy.mallet]

=== on 20 Jul 2015, 07:44:10 Ann Campbell wrote:
Tagged java-top by Ann

=== on 7 Mar 2018, 19:01:41 Ann Campbell wrote:
\[~alexandre.gigleux] that "derived from" reference you omitted was there because of discussions and agreement with the FindSecBugs author. Granted, this was several years ago (the Geneva office was still on 5) but...

=== on 9 Mar 2018, 20:51:25 Alexandre Gigleux wrote:
\[~ann.campbell.2] Fixed

=== on 28 Mar 2018, 16:35:00 Alexandre Gigleux wrote:
This is a "Security Hotspot".

=== on 14 May 2018, 08:57:31 Andrei Epure wrote:
Having the https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[FindSecBugs rule COOKIE_USAGE] in the description is a bit misleading. The description of the rule is ok, but the actual find-sec-bugs implementation is inside https://github.com/find-sec-bugs/find-sec-bugs/blob/1d288ef15122a4d883343769dd221cbe7bbeecb1/plugin/src/main/java/com/h3xstream/findsecbugs/cookie/CookieReadDetector.java[CookieReadDetector.java] which merely detects if the cookie is read.

=== on 15 Nov 2018, 14:32:20 Alexandre Gigleux wrote:
\[~andrei.epure] This rule was inspired by FindSecBugs one and we agreed years ago with the main contributor of FindSecBugs to keep a reference to his rule.

=== on 21 May 2019, 19:49:42 Ann Campbell wrote:
It's not _writing_ cookies that's the (potential) problem but what you store in them, right?

=== on 27 May 2020, 16:51:51 Eric Therond wrote:
Deprecated because it overlaps with rules related to cookies (flags etc)

The content of a cookies is often sensitive (session id, tracking id), it's their goal, there is nothing to fix when an issue is raised here.
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 3 Dec 2014, 14:51:04 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`The goal of this rule is to track the use of cookies. Security auditors can then decide which cookies need attention.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 20:44:22 Sébastien Gioria wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`As a Security auditor, I must said : "you should never store any sensitive information in a cookie".`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 20:52:16 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~sebastien.gioria] if you're talking about the title, the current version follows our standards:`

			`X should [not] y`

			`cc [~freddy.mallet]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 21:09:38 Sébastien Gioria wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~ann.campbell.2]: I refer to the Message in the rule : "If the data stored in this cookie is sensitive, it should be encrypted or stored internally in the user session. "`


			`Message should be : "If the data stored in this cookie is sensitive, it should be stored internally in the user session. "`



Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 15 Dec 2014, 10:32:07 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`I agree with [~sebastien.gioria] [~ann.campbell.2], we should remove the "encrypted" option in the remediation action.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 15 Dec 2014, 14:53:18 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Done [~sebastien.gioria]`

			`cc [~freddy.mallet]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 20 Jul 2015, 07:44:10 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Tagged java-top by Ann`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 7 Mar 2018, 19:01:41 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~alexandre.gigleux] that "derived from" reference you omitted was there because of discussions and agreement with the FindSecBugs author. Granted, this was several years ago (the Geneva office was still on 5) but...`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 9 Mar 2018, 20:51:25 Alexandre Gigleux wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~ann.campbell.2] Fixed`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 28 Mar 2018, 16:35:00 Alexandre Gigleux wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`This is a "Security Hotspot".`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 14 May 2018, 08:57:31 Andrei Epure wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Having the https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[FindSecBugs rule COOKIE_USAGE] in the description is a bit misleading. The description of the rule is ok, but the actual find-sec-bugs implementation is inside https://github.com/find-sec-bugs/find-sec-bugs/blob/1d288ef15122a4d883343769dd221cbe7bbeecb1/plugin/src/main/java/com/h3xstream/findsecbugs/cookie/CookieReadDetector.java[CookieReadDetector.java] which merely detects if the cookie is read.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 15 Nov 2018, 14:32:20 Alexandre Gigleux wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~andrei.epure] This rule was inspired by FindSecBugs one and we agreed years ago with the main contributor of FindSecBugs to keep a reference to his rule.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 21 May 2019, 19:49:42 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`It's not _writing_ cookies that's the (potential) problem but what you store in them, right?`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 27 May 2020, 16:51:51 Eric Therond wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Deprecated because it overlaps with rules related to cookies (flags etc)`

			`The content of a cookies is often sensitive (session id, tracking id), it's their goal, there is nothing to fix when an issue is raised here.`