Merge branch 'main' into redsun82/ripunzip

2025-12-16 16:53:25 +01:00 · 2025-11-11 11:57:29 +01:00
parent 02e696d9cc 8624f9c660
commit 29a2f96cc7
162 changed files with 13644 additions and 20929 deletions
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/old.dbscheme
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/old.dbscheme
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties
@@ -0,0 +1,2 @@
+description: Fix decltype qualifier issue
+compatibility: full
--- a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
@@ -144,14 +144,14 @@ class NameQualifiableElement extends Element, @namequalifiableelement {
 class NameQualifyingElement extends Element, @namequalifyingelement {
  /**
   * Gets a name qualifier for which this is the qualifying namespace or
-   * user-defined type. For example: class `X` is the
+   * user-defined type, or decltype. For example: class `X` is the
   * `NameQualifyingElement` and `X::` is the `NameQualifier`.
   */
  NameQualifier getANameQualifier() {
    namequalifiers(unresolveElement(result), _, underlyingElement(this), _)
  }

-  /** Gets the name of this namespace or user-defined type. */
+  /** Gets the name of this namespace, user-defined type, or decltype. */
  string getName() { none() }
 }

--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -1146,7 +1146,7 @@ class DerivedType extends Type, @derivedtype {
 * decltype(a) b;
 * ```
 */
-class Decltype extends Type {
+class Decltype extends Type, NameQualifyingElement {
  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }

  override string getAPrimaryQlClass() { result = "Decltype" }
@@ -1187,7 +1187,7 @@ class Decltype extends Type {

  override string toString() { result = "decltype(...)" }

-  override string getName() { none() }
+  override string getName() { result = "decltype(...)" }

  override int getSize() { result = this.getBaseType().getSize() }

@@ -1247,7 +1247,7 @@ class TypeofType extends Type {

  override string toString() { result = "typeof(...)" }

-  override string getName() { none() }
+  override string getName() { result = "typeof(...)" }

  override int getSize() { result = this.getBaseType().getSize() }

@@ -1311,8 +1311,6 @@ class TypeofTypeType extends TypeofType {
  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }

  override string getAPrimaryQlClass() { result = "TypeofTypeType" }
-
-  override string toString() { result = "typeof(...)" }
 }

 /**
@@ -1394,7 +1392,7 @@ class IntrinsicTransformedType extends Type {

  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }

-  override string getName() { none() }
+  override string getName() { result = this.getIntrinsicName() + "(...)" }

  override int getSize() { result = this.getBaseType().getSize() }

--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -703,6 +703,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
    )
  }

+  pragma[nomagic]
  override predicate comparesLt(
    Cpp::Expr left, Cpp::Expr right, int k, boolean isLessThan, boolean testIsTrue
  ) {
@@ -713,6 +714,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
    )
  }

+  pragma[nomagic]
  override predicate comparesLt(Cpp::Expr e, int k, boolean isLessThan, GuardValue value) {
    exists(GuardValue partValue, GuardCondition part |
      this.(Cpp::BinaryLogicalOperation)
@@ -738,6 +740,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
    )
  }

+  pragma[nomagic]
  override predicate comparesEq(
    Cpp::Expr left, Cpp::Expr right, int k, boolean areEqual, boolean testIsTrue
  ) {
@@ -757,6 +760,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
    )
  }

+  pragma[nomagic]
  override predicate comparesEq(Cpp::Expr e, int k, boolean areEqual, GuardValue value) {
    exists(GuardValue partValue, GuardCondition part |
      this.(Cpp::BinaryLogicalOperation)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -656,6 +656,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
 * Normalize the `n`'th parameter of `f` by replacing template names
 * with `class:N` (where `N` is the index of the template).
 */
+pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
  // If there is a declaring type then we start by expanding the function templates
  exists(Class template |
@@ -727,6 +728,7 @@ private string getSignatureWithoutClassTemplateNames(
 * - The `remaining` number of template arguments in `partiallyNormalizedSignature`
 * with their index in `nameArgs`.
 */
+pragma[nomagic]
 private string getSignatureWithoutFunctionTemplateNames(
  string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
 ) {
@@ -770,6 +772,7 @@ private string getSignatureWithoutFunctionTemplateNames(
 * ```
 * In this case, `normalizedSignature` will be `"(const func:0 &,int,class:1,class:0 *)"`.
 */
+pragma[nomagic]
 private predicate elementSpecWithArguments(
  string signature, string type, string name, string normalizedSignature, string typeArgs,
  string nameArgs
@@ -789,6 +792,35 @@ private string getSignatureParameterName(string signature, string type, string n
  )
 }

+/**
+ * Gets a `Function` identified by the `(namespace, type, name)` components.
+ *
+ * If `subtypes` is `true` then the result may be an override of the function
+ * identified by the components.
+ */
+pragma[nomagic]
+private Function getFunction(string namespace, string type, boolean subtypes, string name) {
+  elementSpec(namespace, type, subtypes, name, _, _) and
+  (
+    funcHasQualifiedName(result, namespace, name) and
+    subtypes = false and
+    type = ""
+    or
+    exists(Class namedClass, Class classWithMethod |
+      hasClassAndName(classWithMethod, result, name) and
+      classHasQualifiedName(namedClass, namespace, type)
+    |
+      // member declared in the named type or a subtype of it
+      subtypes = true and
+      classWithMethod = namedClass.getADerivedClass*()
+      or
+      // member declared directly in the named type
+      subtypes = false and
+      classWithMethod = namedClass
+    )
+  )
+}
+
 /**
 * Holds if the suffix containing the entries in `signature` starting at entry
 * `i` matches the suffix containing the parameters of `func` starting at entry `i`.
@@ -812,13 +844,17 @@ private string getSignatureParameterName(string signature, string type, string n
 * is `func:n` then the signature name is compared with the `n`'th name
 * in `name`.
 */
-private predicate signatureMatches(Function func, string signature, string type, string name, int i) {
+pragma[nomagic]
+private predicate signatureMatches(
+  Function func, string namespace, string signature, string type, string name, int i
+) {
+  func = getFunction(namespace, type, _, name) and
  exists(string s |
    s = getSignatureParameterName(signature, type, name, i) and
    s = getParameterTypeName(func, i)
  ) and
  if exists(getParameterTypeName(func, i + 1))
-  then signatureMatches(func, signature, type, name, i + 1)
+  then signatureMatches(func, namespace, signature, type, name, i + 1)
  else i = count(signature.indexOf(","))
 }

@@ -833,7 +869,7 @@ module ExternalFlowDebug {
   *
   * Exposed for testing purposes.
   */
-  predicate signatureMatches_debug = signatureMatches/5;
+  predicate signatureMatches_debug = signatureMatches/6;

  /**
   * INTERNAL: Do not use.
@@ -883,6 +919,7 @@ private predicate parseParens(string s, string betweenParens) { s = "(" + betwee
 * - `signatureWithoutParens` equals `signature`, but with the surrounding
 *    parentheses removed.
 */
+pragma[nomagic]
 private predicate elementSpecWithArguments0(
  string signature, string type, string name, string signatureWithoutParens, string typeArgs,
  string nameArgs
@@ -909,7 +946,7 @@ private predicate elementSpecMatchesSignature(
 ) {
  elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
    pragma[only_bind_into](signature), _) and
-  signatureMatches(func, signature, type, name, 0)
+  signatureMatches(func, namespace, signature, type, name, 0)
 }

 /**
@@ -953,7 +990,7 @@ private predicate funcHasQualifiedName(Function func, string namespace, string n
 * Holds if `namedClass` is in namespace `namespace` and has
 * name `type` (excluding any template parameters).
 */
-bindingset[type, namespace]
+bindingset[type]
 pragma[inline_late]
 private predicate classHasQualifiedName(Class namedClass, string namespace, string type) {
  exists(string typeWithoutArgs |
@@ -969,17 +1006,14 @@ private predicate classHasQualifiedName(Class namedClass, string namespace, stri
 *    are also returned.
 * 3. The element has name `name`
 * 4. If `signature` is non-empty, then the element has a list of parameter types described by `signature`.
- *
- * NOTE: `namespace` is currently not used (since we don't properly extract modules yet).
 */
 pragma[nomagic]
 private Element interpretElement0(
  string namespace, string type, boolean subtypes, string name, string signature
 ) {
+  result = getFunction(namespace, type, subtypes, name) and
  (
    // Non-member functions
-    funcHasQualifiedName(result, namespace, name) and
-    subtypes = false and
    type = "" and
    (
      elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
@@ -989,52 +1023,36 @@ private Element interpretElement0(
    )
    or
    // Member functions
-    exists(Class namedClass, Class classWithMethod |
-      hasClassAndName(classWithMethod, result, name) and
-      classHasQualifiedName(namedClass, namespace, type)
-    |
-      (
-        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
-        or
-        signature = "" and
-        elementSpec(namespace, type, subtypes, name, "", _)
-      ) and
-      (
-        // member declared in the named type or a subtype of it
-        subtypes = true and
-        classWithMethod = namedClass.getADerivedClass*()
-        or
-        // member declared directly in the named type
-        subtypes = false and
-        classWithMethod = namedClass
-      )
-    )
+    elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
    or
-    elementSpec(namespace, type, subtypes, name, signature, _) and
-    // Member variables
    signature = "" and
-    exists(Class namedClass, Class classWithMember, MemberVariable member |
-      member.getName() = name and
-      member = classWithMember.getAMember() and
-      namedClass.hasQualifiedName(namespace, type) and
-      result = member
-    |
-      // field declared in the named type or a subtype of it (or an extension of any)
-      subtypes = true and
-      classWithMember = namedClass.getADerivedClass*()
-      or
-      // field declared directly in the named type (or an extension of it)
-      subtypes = false and
-      classWithMember = namedClass
-    )
-    or
-    // Global or namespace variables
-    elementSpec(namespace, type, subtypes, name, signature, _) and
-    signature = "" and
-    type = "" and
-    subtypes = false and
-    result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
+    elementSpec(namespace, type, subtypes, name, signature, _)
  )
+  or
+  // Member variables
+  elementSpec(namespace, type, subtypes, name, signature, _) and
+  signature = "" and
+  exists(Class namedClass, Class classWithMember, MemberVariable member |
+    member.getName() = name and
+    member = classWithMember.getAMember() and
+    namedClass.hasQualifiedName(namespace, type) and
+    result = member
+  |
+    // field declared in the named type or a subtype of it (or an extension of any)
+    subtypes = true and
+    classWithMember = namedClass.getADerivedClass*()
+    or
+    // field declared directly in the named type (or an extension of it)
+    subtypes = false and
+    classWithMember = namedClass
+  )
+  or
+  // Global or namespace variables
+  elementSpec(namespace, type, subtypes, name, signature, _) and
+  signature = "" and
+  type = "" and
+  subtypes = false and
+  result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
 }

 cached
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1327,7 +1327,8 @@ specialnamequalifyingelements(
@namequalifiableelement = @expr | @namequalifier;
@namequalifyingelement = @namespace
                       | @specialnamequalifyingelement
-                       | @usertype;
+                       | @usertype
+                       | @decltype;

 namequalifiers(
    unique int id: @namequalifier,
--- a/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/old.dbscheme
+++ b/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/old.dbscheme
--- a/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties
+++ b/cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties
@@ -0,0 +1,2 @@
+description: Fix decltype qualifier issue
+compatibility: full
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.ql
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.ql
@@ -2,7 +2,7 @@ import cpp
 import semmle.code.cpp.dataflow.ExternalFlow
 import ExternalFlowDebug

-query predicate signatureMatches = signatureMatches_debug/5;
+query predicate signatureMatches = signatureMatches_debug/6;

 query predicate getSignatureParameterName = getSignatureParameterName_debug/4;

--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
@@ -16,6 +16,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
 ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
@@ -33,6 +34,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -120,6 +120,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
@@ -140,6 +141,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -23,6 +23,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
@@ -43,6 +44,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -84,9 +84,7 @@ ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
 ql/csharp/ql/src/definitions.ql
 ql/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
 ql/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
 ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
 ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
@@ -1,13 +1,13 @@
 /**
- * Provides classes and predicates for detecting insecure cookies.
+ * Definitions for detecting insecure and non-HttpOnly cookies.
 */
-deprecated module;

 import csharp
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.frameworks.system.Web
+private import semmle.code.csharp.frameworks.microsoft.AspNetCore

 /**
- * Holds if the expression is a variable with a sensitive name.
+ * Holds if the expression is a sensitive string literal or a variable with a sensitive name.
 */
 predicate isCookieWithSensitiveName(Expr cookieExpr) {
  exists(DataFlow::Node sink |
@@ -17,7 +17,7 @@ predicate isCookieWithSensitiveName(Expr cookieExpr) {
 }

 /**
- * Configuration for tracking if a variable with a sensitive name is used as an argument.
+ * Configuration for tracking if a sensitive string literal or a variable with a sensitive name is used as an argument.
 */
 private module AuthCookieNameConfig implements DataFlow::ConfigSig {
  private predicate isAuthVariable(Expr expr) {
@@ -33,7 +33,15 @@ private module AuthCookieNameConfig implements DataFlow::ConfigSig {

  predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }

-  predicate isSink(DataFlow::Node sink) { exists(Call c | sink.asExpr() = c.getAnArgument()) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(Call c |
+      sink.asExpr() = c.getAnArgument() and
+      (
+        c.getTarget() = any(MicrosoftAspNetCoreHttpResponseCookies cls).getAppendMethod() or
+        c.(ObjectCreation).getType() instanceof SystemWebHttpCookie
+      )
+    )
+  }
 }

 /**
@@ -119,13 +127,13 @@ private signature string propertyName();

 /**
 * Configuration for tracking if a callback used in `OnAppendCookie` sets a cookie property to `true`.
+ *
+ * ` getPropertyName` specifies the cookie property name to track.
 */
 private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> implements
  DataFlow::ConfigSig
 {
-  /**
-   * Specifies the cookie property name to track.
-   */
+  /** Source is the parameter of a callback passed to `OnAppendCookie` */
  predicate isSource(DataFlow::Node source) {
    exists(PropertyWrite pw, Assignment delegateAssign, Callable c |
      pw.getProperty().getName() = "OnAppendCookie" and
@@ -146,6 +154,7 @@ private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> impl
    )
  }

+  /** Sink is a property write that sets the given property to `true`. */
  predicate isSink(DataFlow::Node sink) {
    exists(PropertyWrite pw, Assignment a |
      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
@@ -178,7 +187,7 @@ private module OnAppendCookieSecureTrackingConfig =
  OnAppendCookieTrackingConfig<getPropertyNameSecure/0>;

 /**
- * Tracks if a callback used in `OnAppendCookie` sets `Secure` to `true`.
+ * Tracks if a callback used in `OnAppendCookie` sets `Secure` to `true`, and thus cookies appended to responses are secure by default.
 */
 module OnAppendCookieSecureTracking = DataFlow::Global<OnAppendCookieSecureTrackingConfig>;

@@ -191,6 +200,6 @@ private module OnAppendCookieHttpOnlyTrackingConfig =
  OnAppendCookieTrackingConfig<getPropertyNameHttpOnly/0>;

 /**
- * Tracks if a callback used in `OnAppendCookie` sets `HttpOnly` to `true`.
+ * Tracks if a callback used in `OnAppendCookie` sets `HttpOnly` to `true`, and thus cookies appended to responses are httponly by default.
 */
 module OnAppendCookieHttpOnlyTracking = DataFlow::Global<OnAppendCookieHttpOnlyTrackingConfig>;
--- a/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -0,0 +1,60 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>HttpOnly</code> flag set are accessible to client-side scripts such as JavaScript running in the same origin. 
+In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
+If a sensitive cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>HttpOnly</code> flag to <code>true</code> for authentication cookies to ensure they are not accessible to client-side scripts.
+</p> 
+<p>
+When using ASP.NET Core, <code>CookiePolicyOptions</code> can be used to set a default policy for cookies.
+
+When using ASP.NET Web Forms, a default may also be configured in the <code>Web.config</code> file, using the <code>httpOnlyCookies</code> attribute of the 
+the <code>&lt;httpCookies&gt;</code> element.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below, <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflagcore.cs" />
+
+<p>
+In the following example, <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below, <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflag.cs" />
+
+<p>
+In the example below, the <code>httpOnlyCookies</code> attribute is set to <code>true</code> in the <code>Web.config</code> file.
+</p>
+<sample src="Web.config"/>
+
+</example>
+
+<references>
+
+<li>ASP.Net Core docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property</a>.</li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a></li>
+
+</references>
+</qhelp>
--- a/Features/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -0,0 +1,118 @@
+/**
+ * @name Cookie 'HttpOnly' attribute is not set to true
+ * @description Sensitive cookies without the `HttpOnly` property set are accessible by client-side scripts such as JavaScript.
+ *              This makes them more vulnerable to being stolen by an XSS attack.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id cs/web/cookie-httponly-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.security.auth.SecureCookies
+
+predicate cookieAppendHttpOnlyByDefault() {
+  // default is set to `Always`
+  getAValueForCookiePolicyProp("HttpOnly").getValue() = "1"
+  or
+  // there is an `OnAppendCookie` callback that sets `HttpOnly` to true
+  OnAppendCookieHttpOnlyTracking::flowTo(_)
+}
+
+predicate httpOnlyFalse(ObjectCreation oc) {
+  exists(Assignment a |
+    getAValueForProp(oc, a, "HttpOnly") = a.getRValue() and
+    a.getRValue().getValue() = "false"
+  )
+}
+
+predicate httpOnlyFalseOrNotSet(ObjectCreation oc) {
+  httpOnlyFalse(oc)
+  or
+  not isPropertySet(oc, "HttpOnly")
+}
+
+predicate nonHttpOnlyCookieOptionsCreation(ObjectCreation oc, MethodCall append) {
+  // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+  oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+  httpOnlyFalseOrNotSet(oc) and
+  exists(DataFlow::Node creation, DataFlow::Node sink |
+    CookieOptionsTracking::flow(creation, sink) and
+    creation.asExpr() = oc and
+    sink.asExpr() = append.getArgument(2)
+  )
+}
+
+predicate nonHttpOnlySystemWebSensitiveCookieCreation(ObjectCreation oc) {
+  oc.getType() instanceof SystemWebHttpCookie and
+  isCookieWithSensitiveName(oc.getArgument(0)) and
+  (
+    httpOnlyFalse(oc)
+    or
+    // the property wasn't explicitly set, so a default value from config is used
+    not isPropertySet(oc, "HttpOnly") and
+    // the default in config is not set to `true`
+    not exists(XmlElement element |
+      element instanceof HttpCookiesElement and
+      element.(HttpCookiesElement).isHttpOnlyCookies()
+    )
+  )
+}
+
+predicate sensitiveCookieAppend(MethodCall mc) {
+  exists(MicrosoftAspNetCoreHttpResponseCookies iResponse |
+    iResponse.getAppendMethod() = mc.getTarget() and
+    isCookieWithSensitiveName(mc.getArgument(0))
+  )
+}
+
+predicate nonHttpOnlyCookieCall(Call c) {
+  (
+    not cookieAppendHttpOnlyByDefault() and
+    exists(MethodCall mc |
+      sensitiveCookieAppend(mc) and
+      (
+        nonHttpOnlyCookieOptionsCreation(c, mc)
+        or
+        // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+        mc = c and
+        mc.getNumberOfArguments() < 3 and
+        mc.getTarget().getParameter(0).getType() instanceof StringType
+      )
+    )
+    or
+    nonHttpOnlySystemWebSensitiveCookieCreation(c)
+  )
+}
+
+predicate nonHttpOnlyCookieBuilderAssignment(Assignment a, Expr val) {
+  val.getValue() = "false" and
+  exists(PropertyWrite pw |
+    (
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+      pw.getProperty().getDeclaringType() instanceof
+        MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+    ) and
+    pw.getProperty().getName() = "HttpOnly" and
+    a.getLValue() = pw and
+    DataFlow::localExprFlow(val, a.getRValue())
+  )
+}
+
+from Expr httpOnlySink
+where
+  (
+    nonHttpOnlyCookieCall(httpOnlySink)
+    or
+    exists(Assignment a |
+      httpOnlySink = a.getRValue() and
+      nonHttpOnlyCookieBuilderAssignment(a, _)
+    )
+  )
+select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
  <system.web>
-    <httpCookies requireSSL="false" />
+    <httpCookies httpOnlyCookies="true"/>
  </system.web>
-</configuration>
+</configuration>
--- a/Features/CWE-1004/cookiepolicyoptions.cs
+++ b/Features/CWE-1004/cookiepolicyoptions.cs
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
--- a/Features/CWE-1004/httponlyflagcore.cs
+++ b/Features/CWE-1004/httponlyflagcore.cs
--- a/Features/CWE-614/CookieWithoutSecure.qhelp
+++ b/Features/CWE-614/CookieWithoutSecure.qhelp
@@ -0,0 +1,61 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS.
+This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
+key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.</p>
+</overview>
+
+<recommendation>
+<p>
+When using ASP.NET Core, ensure cookies have the secure flag set by setting <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>, or 
+using <code>CookiePolicyOptions</code> to set a default security policy.
+</p>
+<p>
+When using ASP.NET Web Forms, cookies can be configured as secure by default in the <code>Web.config</code> file, setting the <code>requireSSL</code> attribute to <code>true</code> in the  <code>forms</code> or <code>httpCookies</code> element. 
+Cookies may also be set to be secure programmatically by setting the <code>System.Web.HttpCookie.Secure</code> attribute to <code>true</code>.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below, <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code>.
+</p>
+
+<sample src="secureflagcore.cs" />
+
+<p>
+In the following example, <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
+</p>
+
+<sample src="secureflag.cs" />
+
+<p>
+In the example below, the <code>requireSSL</code> attribute is set to <code>true</code> in the <code>forms</code> element of the <code>Web.config</code> file.
+</p>
+<sample src="Web.config" />
+
+</example>
+
+<references>
+
+<li>ASP.NET Core docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property</a>.</li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.</li>
+<li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
+
+</references>
+</qhelp>
--- a/Features/CWE-614/CookieWithoutSecure.ql
+++ b/Features/CWE-614/CookieWithoutSecure.ql
@@ -0,0 +1,116 @@
+/**
+ * @name Cookie 'Secure' attribute is not set to true
+ * @description Cookies without the `Secure` flag may be sent in cleartext.
+ *              This makes them vulnerable to be intercepted by an attacker.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision high
+ * @id cs/web/cookie-secure-not-set
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-614
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.security.auth.SecureCookies
+
+predicate cookieAppendSecureByDefault() {
+  // default is set to `Always` or `SameAsRequest`
+  (
+    getAValueForCookiePolicyProp("Secure").getValue() = "0" or
+    getAValueForCookiePolicyProp("Secure").getValue() = "1"
+  )
+  or
+  //callback `OnAppendCookie` that sets `Secure` to true
+  OnAppendCookieSecureTracking::flowTo(_)
+}
+
+predicate secureFalse(ObjectCreation oc) {
+  exists(Assignment a |
+    getAValueForProp(oc, a, "Secure") = a.getRValue() and
+    a.getRValue().getValue() = "false"
+  )
+}
+
+predicate secureFalseOrNotSet(ObjectCreation oc) {
+  secureFalse(oc)
+  or
+  not isPropertySet(oc, "Secure")
+}
+
+predicate insecureCookieOptionsCreation(ObjectCreation oc) {
+  // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+  oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+  secureFalseOrNotSet(oc) and
+  exists(DataFlow::Node creation |
+    CookieOptionsTracking::flow(creation, _) and
+    creation.asExpr() = oc
+  )
+}
+
+predicate insecureCookieAppend(Expr sink) {
+  // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
+  exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+    mc = sink and
+    iResponse.getAppendMethod() = mc.getTarget() and
+    mc.getNumberOfArguments() < 3 and
+    mc.getTarget().getParameter(0).getType() instanceof StringType
+  )
+}
+
+predicate insecureSystemWebCookieCreation(ObjectCreation oc) {
+  oc.getType() instanceof SystemWebHttpCookie and
+  (
+    secureFalse(oc)
+    or
+    // `Secure` property in `System.Web.HttpCookie` wasn't set, so a default value from config is used
+    not isPropertySet(oc, "Secure") and
+    // the default in config is not set to `true`
+    not exists(XmlElement element |
+      element instanceof FormsElement and
+      element.(FormsElement).isRequireSsl()
+      or
+      element instanceof HttpCookiesElement and
+      element.(HttpCookiesElement).isRequireSsl()
+    )
+  )
+}
+
+predicate insecureCookieCall(Call c) {
+  not cookieAppendSecureByDefault() and
+  (
+    insecureCookieOptionsCreation(c)
+    or
+    insecureCookieAppend(c)
+  )
+  or
+  insecureSystemWebCookieCreation(c)
+}
+
+predicate insecureSecurePolicyAssignment(Assignment a, Expr val) {
+  exists(PropertyWrite pw |
+    (
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+      pw.getProperty().getDeclaringType() instanceof
+        MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+    ) and
+    pw.getProperty().getName() = "SecurePolicy" and
+    a.getLValue() = pw and
+    DataFlow::localExprFlow(val, a.getRValue()) and
+    val.getValue() = "2" // None
+  )
+}
+
+from Expr secureSink
+where
+  insecureCookieCall(secureSink)
+  or
+  exists(Assignment a |
+    secureSink = a.getRValue() and
+    insecureSecurePolicyAssignment(a, _)
+  )
+select secureSink, "Cookie attribute 'Secure' is not set to true."
--- a/Features/CWE-614/cookiepolicyoptions.cs
+++ b/Features/CWE-614/cookiepolicyoptions.cs
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
--- a/csharp/ql/src/change-notes/2025-10-24-insecure-cookie-query-promote.md
+++ b/csharp/ql/src/change-notes/2025-10-24-insecure-cookie-query-promote.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+The `cs/web/cookie-secure-not-set` and `cs/web/cookie-httponly-not-set` queries have been promoted from experimental to the main query pack.
--- a/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -1,51 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
-Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
-them not accessible to JavaScript. In ASP.NET case it is also possible to set the attribute via <code>&lt;httpCookies&gt;</code> element
-of <code>web.config</code> with the attribute <code>httpOnlyCookies="true"</code>.
-</p>
-</recommendation>
-
-<example>
-
-<p>
-In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
-</p>
-
-<sample src="httponlyflagcore.cs" />
-
-<p>
-In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
-</p>
-
-<sample src="cookiepolicyoptions.cs" />
-
-<p>
-In the example below <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
-</p>
-
-<sample src="httponlyflag.cs" />
-
-</example>
-
-<references>
-
-<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property,</a></li>
-<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
-<li><a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property,</a></li>
-<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
-
-</references>
-</qhelp>
--- a/Features/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -1,107 +0,0 @@
-/**
- * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
- * @kind problem
- * @problem.severity warning
- * @precision high
- * @id cs/web/cookie-httponly-not-set
- * @tags security
- *       experimental
- *       external/cwe/cwe-1004
- */
-
-import csharp
-import semmle.code.asp.WebConfig
-import semmle.code.csharp.frameworks.system.Web
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
-deprecated import experimental.dataflow.flowsources.AuthCookie
-
-deprecated query predicate problems(Expr httpOnlySink, string message) {
-  (
-    exists(Assignment a, Expr val |
-      httpOnlySink = a.getRValue() and
-      val.getValue() = "false" and
-      (
-        exists(ObjectCreation oc |
-          getAValueForProp(oc, a, "HttpOnly") = val and
-          (
-            oc.getType() instanceof SystemWebHttpCookie and
-            isCookieWithSensitiveName(oc.getArgument(0))
-            or
-            exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-              iResponse.getAppendMethod() = mc.getTarget() and
-              isCookieWithSensitiveName(mc.getArgument(0)) and
-              // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-              not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-              // Passed as third argument to `IResponseCookies.Append`
-              exists(DataFlow::Node creation, DataFlow::Node append |
-                CookieOptionsTracking::flow(creation, append) and
-                creation.asExpr() = oc and
-                append.asExpr() = mc.getArgument(2)
-              )
-            )
-          )
-        )
-        or
-        exists(PropertyWrite pw |
-          (
-            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-            pw.getProperty().getDeclaringType() instanceof
-              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-          ) and
-          pw.getProperty().getName() = "HttpOnly" and
-          a.getLValue() = pw and
-          DataFlow::localExprFlow(val, a.getRValue())
-        )
-      )
-    )
-    or
-    exists(Call c |
-      httpOnlySink = c and
-      (
-        exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
-          // default is not configured or is not set to `Always`
-          not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
-          // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-          not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-          iResponse.getAppendMethod() = mc.getTarget() and
-          isCookieWithSensitiveName(mc.getArgument(0)) and
-          (
-            // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-            exists(ObjectCreation oc |
-              oc = c and
-              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-              not isPropertySet(oc, "HttpOnly") and
-              exists(DataFlow::Node creation |
-                CookieOptionsTracking::flow(creation, _) and
-                creation.asExpr() = oc
-              )
-            )
-            or
-            // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
-            mc = c and
-            mc.getNumberOfArguments() < 3
-          )
-        )
-        or
-        exists(ObjectCreation oc |
-          oc = c and
-          oc.getType() instanceof SystemWebHttpCookie and
-          isCookieWithSensitiveName(oc.getArgument(0)) and
-          // the property wasn't explicitly set, so a default value from config is used
-          not isPropertySet(oc, "HttpOnly") and
-          // the default in config is not set to `true`
-          not exists(XmlElement element |
-            element instanceof HttpCookiesElement and
-            element.(HttpCookiesElement).isHttpOnlyCookies()
-          )
-        )
-      )
-    )
-  ) and
-  message = "Cookie attribute 'HttpOnly' is not set to true."
-}
--- a/Features/CWE-614/CookieWithoutSecure.qhelp
+++ b/Features/CWE-614/CookieWithoutSecure.qhelp
@@ -1,55 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default,
-cookies are sent via HTTP, not HTTPS.
-</p>
-</overview>
-
-<recommendation>
-<p>
-In ASP.NET case when using cookies ensure that HTTPS is used by setting the property <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>.
-</p>
-<p>
-In ASP.NET Core case when using cookies, ensure that HTTPS is used, either via the <code>&lt;forms&gt;</code> attribute above, or
-the <code>&lt;httpCookies&gt;</code> element, with the attribute <code>requireSSL="true"</code>. It is also possible to require cookies
-to use HTTPS programmatically, by setting the property <code>System.Web.HttpCookie.Secure</code> to <code>true</code>.
-</p>
-</recommendation>
-
-<example>
-
-<p>
-In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code> programmatically.
-</p>
-
-<sample src="secureflagcore.cs" />
-
-<p>
-In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
-</p>
-
-<sample src="cookiepolicyoptions.cs" />
-
-<p>
-In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
-</p>
-
-<sample src="secureflag.cs" />
-
-</example>
-
-<references>
-
-<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property,</a></li>
-<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
-<li><a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property,</a></li>
-<li><a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication,</a></li>
-<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
-
-</references>
-</qhelp>
--- a/Features/CWE-614/CookieWithoutSecure.ql
+++ b/Features/CWE-614/CookieWithoutSecure.ql
@@ -1,107 +0,0 @@
-/**
- * @name 'Secure' attribute is not set to true
- * @description Omitting the 'Secure' attribute allows data to be transmitted insecurely
- *              using HTTP. Always set 'Secure' to 'true' to ensure that HTTPS
- *              is used at all times.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id cs/web/cookie-secure-not-set
- * @tags security
- *       experimental
- *       external/cwe/cwe-319
- *       external/cwe/cwe-614
- */
-
-import csharp
-import semmle.code.asp.WebConfig
-import semmle.code.csharp.frameworks.system.Web
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
-deprecated import experimental.dataflow.flowsources.AuthCookie
-
-deprecated query predicate problems(Expr secureSink, string message) {
-  (
-    exists(Call c |
-      secureSink = c and
-      (
-        // default is not configured or is not set to `Always` or `SameAsRequest`
-        not (
-          getAValueForCookiePolicyProp("Secure").getValue() = "0" or
-          getAValueForCookiePolicyProp("Secure").getValue() = "1"
-        ) and
-        // there is no callback `OnAppendCookie` that sets `Secure` to true
-        not OnAppendCookieSecureTracking::flowTo(_) and
-        (
-          // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-          exists(ObjectCreation oc |
-            oc = c and
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            not isPropertySet(oc, "Secure") and
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
-            )
-          )
-          or
-          // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
-          exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-            mc = c and
-            iResponse.getAppendMethod() = mc.getTarget() and
-            mc.getNumberOfArguments() < 3
-          )
-        )
-        or
-        exists(ObjectCreation oc |
-          oc = c and
-          oc.getType() instanceof SystemWebHttpCookie and
-          // the property wasn't explicitly set, so a default value from config is used
-          not isPropertySet(oc, "Secure") and
-          // the default in config is not set to `true`
-          // the `exists` below covers the `cs/web/requiressl-not-set`
-          not exists(XmlElement element |
-            element instanceof FormsElement and
-            element.(FormsElement).isRequireSsl()
-            or
-            element instanceof HttpCookiesElement and
-            element.(HttpCookiesElement).isRequireSsl()
-          )
-        )
-      )
-    )
-    or
-    exists(Assignment a, Expr val |
-      secureSink = a.getRValue() and
-      (
-        exists(ObjectCreation oc |
-          getAValueForProp(oc, a, "Secure") = val and
-          val.getValue() = "false" and
-          (
-            oc.getType() instanceof SystemWebHttpCookie
-            or
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            // there is no callback `OnAppendCookie` that sets `Secure` to true
-            not OnAppendCookieSecureTracking::flowTo(_) and
-            // the cookie option is passed to `Append`
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
-            )
-          )
-        )
-        or
-        exists(PropertyWrite pw |
-          (
-            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-            pw.getProperty().getDeclaringType() instanceof
-              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-          ) and
-          pw.getProperty().getName() = "SecurePolicy" and
-          a.getLValue() = pw and
-          DataFlow::localExprFlow(val, a.getRValue()) and
-          val.getValue() = "2" // None
-        )
-      )
-    )
-  ) and
-  message = "Cookie attribute 'Secure' is not set to true."
-}
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <authentication>
-      <forms
-        requireSSL="true"
-        ... />
-    </authentication>
-    <httpCookies
-        requireSSL="true"
-        ... />
-  </system.web>
-</configuration>
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected
@@ -1,4 +0,0 @@
-| Program.cs:25:34:25:38 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:38:88:38:92 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:61:34:61:34 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:68:88:68:88 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -1,37 +0,0 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.AspNetCore.Http;
-
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.HttpOnly = false;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
-    }
-}
-
-public class Startup
-{
-    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-    {
-        app.UseCookiePolicy();
-    }
-
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.Configure<CookiePolicyOptions>(options =>
-        {
-            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
-        });
-    }
-
-    private void SetCookies(CookieOptions options)
-    {
-        options.Secure = true;
-        options.HttpOnly = true;
-    }
-}
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/options
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected
@@ -1,4 +0,0 @@
-| Program.cs:23:27:23:31 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:28:74:28:78 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:48:27:48:27 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:54:74:54:74 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/options
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected
@@ -1,2 +0,0 @@
-| Program.cs:5:9:5:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:15:29:15:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs
@@ -1,52 +0,0 @@
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        Response.Cookies.Append("auth", "secret"); // BAD: HttpOnly is set to false by default
-    }
-
-    public void CookieDefaultForgery()
-    {
-        Response.Cookies.Append("antiforgerytoken", "secret"); // GOOD: not an auth cookie
-    }
-
-    public void CookieDefault2()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD: HttpOnly is set to false by default
-    }
-
-    public void CookieDelete()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.HttpOnly = true;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        bool v = true;
-        cookieOptions.HttpOnly = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/options
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected
@@ -1 +0,0 @@
-| Program.cs:5:22:5:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false by default
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/options
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected
@@ -1 +0,0 @@
-| Program.cs:5:22:5:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false in config
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies httpOnlyCookies="false" />
-  </system.web>
-</configuration>
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/options
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // GOOD: httpOnlyCookies is set to true in config
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies httpOnlyCookies="true" />
-  </system.web>
-</configuration>
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/options
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs
@@ -1,47 +0,0 @@
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        Response.Cookies.Append("name", "value"); // BAD: requireSSL is set to false by default
-    }
-
-    public void CookieDefault2()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Append("name", "value", cookieOptions); // BAD: requireSSL is set to false by default
-    }
-
-    public void CookieDelete()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Delete("name", cookieOptions); // GOOD: Delete call
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.Secure = true;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = true };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        bool v = true;
-        cookieOptions.Secure = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected
@@ -1,2 +0,0 @@
-| Program.cs:5:9:5:48 | call to method Append | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:10:29:10:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/options
+++ b/Features/CWE-614/RequireSSLAspNetCore/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected
@@ -1,4 +0,0 @@
-| Program.cs:25:32:25:36 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:31:86:31:90 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:54:32:54:32 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:61:86:61:86 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -1,37 +0,0 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.AspNetCore.Http;
-
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.Secure = false;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: Secure is set in callback
-    }
-}
-
-public class Startup
-{
-    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-    {
-        app.UseCookiePolicy();
-    }
-
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.Configure<CookiePolicyOptions>(options =>
-        {
-            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
-        });
-    }
-
-    private void SetCookies(CookieOptions options)
-    {
-        options.Secure = true;
-        options.HttpOnly = true;
-    }
-}
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/options
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected
@@ -1,4 +0,0 @@
-| Program.cs:17:25:17:29 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:22:73:22:77 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:42:25:42:25 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:48:73:48:73 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/Web.config
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/Web.config
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies />
-  </system.web>
-</configuration>
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/options
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false by default
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected
@@ -1 +0,0 @@
-| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/options
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected
@@ -1 +0,0 @@
-| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/options
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/options
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/options
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/options
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
--- a/Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.expected
+++ b/Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.expected
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql`
				`@@ -1 +0,0 @@`
				`\| Program.cs:5:22:5:59 \| object creation of type HttpCookie \| Cookie attribute 'HttpOnly' is not set to true. \|`
				`@@ -1 +0,0 @@`
				`experimental/Security Features/CWE-614/CookieWithoutSecure.ql`
				`@@ -1 +0,0 @@`
				`\| Program.cs:5:22:5:60 \| object creation of type HttpCookie \| Cookie attribute 'Secure' is not set to true. \|`