...
The use of the rand() function can result in predictable random numbers.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC30-C | Medium | Unlikely | Low | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
| Astrée |
|
| Supported, but no explicit checker | |||||||||
| Clang |
| cert-msc30-c | Checked by clang-tidy | ||||||
| CodeSonar |
| BADFUNC.RANDOM.RAND | Use of rand | ||||||
| Compass/ROSE |
| Coverity |
| DONTCALL | Implemented - weak support | ||||||
| CC2.MSC30 | Fully implemented | |||||||
| LDRA tool suite |
| 44 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
|
|
| SECURITY-02_b | Fully implemented | |||||||
| Polyspace Bug Finder | R2016a | Vulnerable pseudo-random number generator | Using a cryptographically weak pseudo-random number generator | ||||||
| PRQA QA-C |
| 5022 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C | MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | 2017-05-16: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-330, Use of Insufficiently Random Values | 2017-06-28: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 2017-06-28: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-676 | 2017-05-18: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
...
- Invocation of other dangerous functions, besides rand().
Bibliography
...
...