CheckMarx is flagging an error which looks like a false positive to me. Our application is written in C# and uses ASP.NET Core.

The error is:

The web application's Startup method creates a cookie Startup, at line 22 of Startup.cs, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

This is line 22:

public class Startup

And we do have the cookie policy set correctly:

app.UseCookiePolicy(new CookiePolicyOptions
{
    HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always
});

But CheckMarx is still flagging this warning. And I do not think that my Startup class creates a cookie called Startup.

I found a similar post here (unanswered) - https://github.com/Azure/azure-functions-vs-build-sdk/issues/469.

So is this a false positive? And how do I get CheckMarx to stop flagging it?

For .NET Core 3.1, I fixed this vulnerability warning by configuring the service in Startup class and then using CookiePolicy middleware.

In ConfigureServices function:

services.Configure<CookiePolicyOptions>(options =>
{
    options.Secure = CookieSecurePolicy.Always;
});

In Configure function:

app.UseCookiePolicy();

This could be also used to fix HttpOnlyPolicy vulnerability in middleware like:

services.Configure<CookiePolicyOptions>(options =>
{
    options.HttpOnly = HttpOnlyPolicy.Always;
    options.Secure = CookieSecurePolicy.Always;
});

Remember to use the correct order for middlewares. You could refer to ASP.NET Core Middleware Docs to read more about and get some examples.

The only way to remove those warnings was to rename the Startup class to something else, for example to Startup123.

Nothing else removes the warning, and I think it is definitely a false positive.