• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2245.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2245.html Maven / Gradle / Ivy

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
As the java.util.Random class relies on a pseudorandom number generator, this class and relating java.lang.Math.random() method should not be used for security-critical applications or for protecting sensitive data. In such context, the java.security.SecureRandom class which relies on a cryptographically strong random number generator (RNG) should be used in place.
Noncompliant Code Example

Random random = new Random();
byte bytes[] = new byte[20];
random.nextBytes(bytes);

See


 MITRE, CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
 MITRE, CWE-330 - Use of Insufficiently Random Values
 MITRE, CWE-326 - Inadequate Encryption Strength
 MITRE, CWE-310 - Cryptographic Issues
 CERT, MSC02-J - Generate strong random numbers
 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
 Derived from FindSecBugs rule Predictable Pseudo Random Number Generator