SV.RANDOMThis error appears when using initializing an object of type 'java.util.Random'. Vulnerability and riskUsing 'java.util.Random' can produce very predictable results. If two instances of Random are created with the same seed and sequence of method calls, they will generate the exact same results. Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error. Mitigation and preventionUse 'java.security.SecureRandom' instead. This class provides a cryptographically strong random number generator. SecureRandom still uses PRNG, which means they are using a deterministic algorithm to produce a pseudo-random number from a true random seed. SecureRandom produces non-deterministic output. Example 1
12 public String generateRandomSessionId() {
13 Random random = new Random();
14 random.setSeed(System.currentTimeMillis());
15 return ("sessionId=" + random.nextInt(2000000000));
16 }
17 public String generateRandomNumberUsingMath() {
18 double randomNum = Math.random();
19 return (String.valueOf(randomNum));
20 }
SV.RANDOM is reported for lines 13 and 18: Use of insecure Random number generator 'Random'. |