CodeQL fails to detect rust/insecure-cookie in Rust code

[fabasoad]

Steps to reproduce

• Download latest CodeQL bundle (v2.25.4 at the moment).
• Have a minimal Rust project with rust/insecure-cookie in it (take the code example from the official documentation).
• Run the following command in the directory with the Rust project:

codeql database create --build-mode=none --language=rust .codeql-db
codeql database analyze --format=sarifv2.1.0 --output=codeql.sarif .codeql-db

• Look at the produced codeql.sarif

Expected behavior

results field should have 1 finding with rust/insecure-cookie id.

Actual behavior

results field is empty

Notes

The same codeql version with the same Rust code worked as expected on May 18, 2026, 2:31 PM GMT+9.

[hvitved]

Hi 👋

I tried to replicate, but it works fine on my end (on macOS). Here is the cargo.toml file I use

[package]
name = "cookie-test"
version = "0.1.0"
edition = "2024"

[dependencies]
cookie = { version = "0.18.1", features = ["percent-encode", "signed", "private"] }
biscotti = { version = "0.4.3" }
actix-web = { version = "4", features = ["cookies"] }
poem = { version = "3", features = ["cookie", "session"] }
http-types = { version = "2", features = ["cookies"] }

and the main.rs file:

use cookie::Cookie;

fn main() {
    println!("Hello, world!");

    // BAD: creating a cookie without specifying the `secure` attribute
    let cookie = Cookie::build(("session", "abcd1234")).build();
    let mut jar = cookie::CookieJar::new();
    jar.add(cookie.clone());
}

Which version of Rust/cargo are you using, and in which environment?

[fabasoad]

Hey! Thank you for looking into this. Here is the information you asked:

cargo.toml

[package]
name = "test-project"
version = "0.1.0"
edition = "2024"

[dependencies]
cookie = "0.18.1"

main.rs

use cookie::Cookie;

fn main() {
  let cookie = Cookie::build(("session", "abcd1234")).build();
  let mut jar = cookie::CookieJar::new();
  jar.add(cookie.clone());
}

cargo --version
cargo 1.95.0 (f2d3ce0bd 2026-03-21)

My local environment: macOS Tahoe 26.4.1 arm64
But the same behavior reproduces in GitHub Actions ubuntu envrironment

---

Just tested once again:

$ codeql database create --build-mode=none --language=rust .codeql-db
Initializing database at.......

$ codeql database analyze --format=sarifv2.1.0 --output=codeql.sarif .codeql-db
Running queries....
................
|                            Metric                            | Value |
+--------------------------------------------------------------+-------+
| Total number of Rust files that were extracted with errors   |     0 |
| Total number of Rust files that were extracted without error |     1 |

$ jq '.runs[].results' codeql.sarif
[]