Rust: It turns out Poem defaults 'secure' to true.

geoffw0 · geoffw0 · commit 5fed5a278ec7 · 2025-11-04T18:37:20.000Z
diff --git a/rust/ql/test/query-tests/security/CWE-614/main.rs b/rust/ql/test/query-tests/security/CWE-614/main.rs
@@ -233,9 +233,9 @@ fn test_poem() {
     cookie2.set_secure(true); // good
     jar.add(cookie2.clone());
 
-    // secure left as default
-    let cookie3 = PoemCookie::new_with_str("name", "value"); // $ MISSING: Source
-    jar.add(cookie3.clone()); // $ MISSING: Alert[rust/insecure-cookie]
+    // secure left as default (which is `true` for Poem)
+    let cookie3 = PoemCookie::new_with_str("name", "value");
+    jar.add(cookie3.clone()); // good
 
     // set secure via CookieConfig
     let cookie_config_bad = poem::session::CookieConfig::new().secure(false);
@@ -248,7 +248,7 @@ fn test_poem() {
     _ = poem::session::ServerSession::new(cookie_config_good, ()); // good
 
     let cookie_config_default = poem::session::CookieConfig::new();
-    _ = poem::session::ServerSession::new(cookie_config_default, ()); // $ MISSING: Alert[rust/insecure-cookie]
+    _ = poem::session::ServerSession::new(cookie_config_default, ()); // good
 }
 
 fn test_http_types() {
