...
Compliant Solution
The C++ Standard Library standard library provides mechanisms for fine-grained control over pseudorandom number generation. It breaks number generation down into two parts: one part is the algorithm responsible for providing random values (the engine), and the other is responsible for distribution of the random values via a density function (the distribution). The distribution object is not strictly required, but it works to ensure that values are properly distributed within a given range , instead of improperly distributed due to bias issues. This compliant solution uses the Mersenne Twister algorithm as the engine for generating random values , and a uniform distribution to negate the modulo bias from the noncompliant code example:
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | MSC51-CPP. Ensure your random number generator is properly seeded |
| SEI CERT C Coding Standard | MSC30-C. Do not use the rand() function for generating pseudorandom numbers |
| CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers |
| MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values |
...