SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 43

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 44

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFCCCC
import java.util.Random;
// ...

Random number = new Random(123L);
//...
for (int i=0; i<20i&lt;20; i++) {
  // generate another random integer in the range [0, 20]
  int n = number.nextInt(21);
  System.out.println(n);
}

...

Code Block
bgColor#ccccff
import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...

public static void main (String args[]) {
   try {
     SecureRandom number = SecureRandom.getInstance("SHA1PRNG"&quot;SHA1PRNG&quot;);
     // Generate 20 integers 0..20
     for (int i = 0; i <&lt; 20; i++) {
       System.out.println(number.nextInt(21));
     }
   }
   catch (NoSuchAlgorithmException nsae) { 
     // Forward to handler
   }
}

...

Code Block
bgColor#ccccff
import java.util.Random;
// ...

Random number = new Random();
int n;
//...
for (int i=0; i<20i&lt;20; i++) {
  // Re-seed generator
  number = new Random();
  // Generate another random integer in the range [0, 20]
  n = number.nextInt(21);
  System.out.println(n);
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as MSC30-C. Do not use the rand() function for generating pseudorandom numbers.

...

Wiki Markup
\[[API 06|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\]&amp;nbsp;[Class Random|http://java.sun.com/javase/6/docs/api/java/util/Random.html]
\[[API 06|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\] [Class SecureRandom|http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html]
\[[Find Bugs 08|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-FindBugs08]\] BC: Random objects created and used only once
\[[Monsch 06|AA. Java References#Monsch 06]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html] "&quot;Use of Insufficiently Random Values"&quot;, [CWE ID 327 |http://cwe.mitre.org/data/definitions/327.html], "&quot;Use of a Broken or Risky Cryptographic Algorithm,"&quot; [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "&quot;Use of Insufficiently Random Values"&quot;, [CWE ID 333| http://cwe.mitre.org/data/definitions/333.html] "&quot;Failure to Handle Insufficient Entropy in TRNG"&quot;, [CWE ID 332|http://cwe.mitre.org/data/definitions/332.html] "&quot;Insufficient Entropy in PRNG"&quot;, [CWE ID 337|http://cwe.mitre.org/data/definitions/337.html] "&quot;Predictable Seed in PRNG"&quot;, [CWE ID 336|http://cwe.mitre.org/data/definitions/336.html] "&quot;Same Seed in PRNG"&quot;

...

MSC07-J. Do not assume infinite heap space      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MSC31-J. Never hardcode sensitive information