Fixes, add secure query

go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql

@@ -4,25 +4,24 @@
  *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
  *              'HttpOnly' to 'true' to authentication related cookie to make it
  *              not accessible by JavaScript.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision high
  * @id go/cookie-httponly-not-set
  * @tags security
- *       experimental
  *       external/cwe/cwe-1004
  */
 
 import go
 import semmle.go.security.SecureCookies
 import semmle.go.concepts.HTTP
+import SensitiveCookieNameFlow::PathGraph
 
-from Http::CookieWrite cw, Expr sensitiveNameExpr, string name
+from
+  Http::CookieWrite cw, Expr sensitiveNameExpr, string name,
+  SensitiveCookieNameFlow::PathNode source, SensitiveCookieNameFlow::PathNode sink
 where
-  isSensitiveCookie(cw, sensitiveNameExpr, name) and
-  (
-    isNonHttpOnlyDefault(cw)
-    or
-    isNonHttpOnlyDirect(cw, _)
-  )
-select cw, "Sensitive cookie $@ does not set HttpOnly to true", sensitiveNameExpr, name
+  isSensitiveCookie(cw, sensitiveNameExpr, name, source, sink) and
+  isNonHttpOnlyCookie(cw)
+select cw, source, sink, "Sensitive cookie $@ does not set HttpOnly attribute to true.",
+  sensitiveNameExpr, name

go/ql/src/Security/CWE-614/CookieWithoutSecure.ql

@@ -0,0 +1,18 @@
+/**
+ * @name 'Secure' attribute is not set to true
+ * @description todo
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id go/cookie-secure-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import go
+import semmle.go.security.SecureCookies
+import semmle.go.concepts.HTTP
+
+from Http::CookieWrite cw
+where isInsecureCookie(cw)
+select cw, "Cookie does not set Secure attribute to true"