Fix S2092 FP: When the "Secure" field is set in a conditional (may also impact S3330)

[pierre-loup-tristant-sonarsource]

Rule S2092 is not supposed to trigger if the Secure field of the HttpCookie is set to true (see this unit test).

For some reason a FP appear for a similar test case in the Juliet C# benchmark
https://peach.sonarsource.com/security_hotspots?id=juliet-suite-csharp&hotspots=AYly6kSJ4i6poAEDgZv7

private void Good1(HttpRequest req, HttpResponse resp)
{
  HttpCookie cookie = new HttpCookie("SecretMessage", "Drink your Ovaltine"); // Compliant: FP here
  if (req.IsSecureConnection)
  {
    cookie.Secure = true; // This should prevent the rule from raising an issue
    resp.Cookies.Add(cookie);
  }
}

This leads to 31 FPs in the Juliet C# benchmark

Incidentally, similar FPs also impact S3330.

[andrei-epure-sonarsource]

@pierre-loup-tristant-sonarsource

This leads to 31 FNs in the Juliet C# benchmark

So it this an FP or an FN?

[pierre-loup-tristant-sonarsource]

@andrei-epure-sonarsource it's an FP ticket. I fixed the typo.

[costin-zaharia-sonarsource]

Hi @pierre-loup-tristant-sonarsource, in the example you provided we have a branch where the cookie is created and it's not secure.

In order to always have a secure cookie, the cookie should be created inside the if block:

            HttpCookie cookie;
            if (req.IsSecureConnection)
            {
                cookie = new HttpCookie("SecretMessage", "Drink your Ovaltine");
                cookie.Secure = true;
                resp.Cookies.Add(cookie);
            }

Once the cookie is created in the correct scope, the rule will not raise issues anymore.
It also does not make sense to create the cookie if it's not needed/used.