False positive on Report

[ErnestoTz-WR]

Description:

We are using Cookies on the project to store the session id of a logged user. Cookies are sanitised since they are flagged as HttpOnly (can't be modified by the user). We use the session id for a second request to get the access level of the user and return the response of the Backend. On this level the Scan is flagging that the input is unsanitised, when I remove the variable coming from the cookies the Security Report does not show this issue anymore.
I am curious about how the Scan is triggering this issue. It appears to be a false positive but I would like to make sure this is the case and for that I would like to understand the logic under this part of the scan.

Command use to create the Security Report:
bearer scan -f html --output report.html .

Expected Behavior

The Scan is able to recognise that the Cookies are sanitised based on the HttpOnly flag

Actual Behavior

The Scan is throwing an Unsanitized user input in HTTP response (XSS) issue.

[gotbadger]

Genrally speaking we consider HttpOnly cookie data unsanitised user input since its possible to modify by manually crafting a request.

Can you can share a code snippet so we could have a bit more context here.