SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 128

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 129

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2020.2

...

Predictable random number sequences can weaken the security of critical applications such as cryptography.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC02-J

High

Probable

Medium

P12

L1

Automated Detection

Tool
Version
Checker
Description
Coverity7.5RISKY_CRYPTOImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
SECURITY.WSC.SRD
Implemented
Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2245
 

Related Vulnerabilities

CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.

Related Guidelines

SEI CERT C Coding Standard

MSC30-C. Do not use the rand() function for generating pseudorandom numbers

SEI CERT C++ Coding Standard

MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers

MITRE CWE

CWE-327, Use of a Broken or Risky Cryptographic Algorithm

CWE-330, Use of Insufficiently Random Values

CWE-332, Insufficient Entropy in PRNG

CWE-336, Same Seed in PRNG

CWE-337, Predictable Seed in PRNG

Bibliography

 


[API 2014

Class Random
 Class SecureRandom

[FindBugs 2008]

BC. Random objects created and used only once

 


[Monsch 2006]

 

...



...