SAST issue with Azure Function StartUp file for HttpCookie and Secure Cookie

[sspradhan1]

We are using Azure function .net SDK for writing httptrigger, timetrigger azure functions. When we ran the SAST scan using Checkmarx, we are getting following two issues:

1. The web application's IWebJobsStartup method creates a cookie Startup, at line -- ----------/Startup.cs, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.
2. Startup.cs application configuration file, at line --, does not define sensitive application cookies with the "secure" flag, which could cause the client to send those cookies in plaintext over an insecure network communication (HTTP). This may lead to a Session Hijacking attack.

We have already added cookiepolices for them, but still getting the issue: public class Startup : IWebJobsStartup { public void Configure(IWebJobsBuilder builder) { builder.Services.AddScoped<IDataProcessingRepository, DataProcessingRepository>(); builder.Services.Configure(options => { options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always; }); } }

[kmillerdevx3]

This appears to be a bug in Checkmarx, where the mere presence of a class named Startup triggers the analyzer.

I confirmed this by renaming the class to ApiStart, and the analyzer warning immediately went away.

[sourabhDemo]

Yes, same. For me this was the case with Azure Functions