...
MSC02-EX0: Using the default constructor for java.util.Random applies a seed value that is "very likely to be distinct from any other invocation of this constructor" [API 2006] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.
...
Related Guidelines
MSC30-C. Do not use the rand() function for generating pseudorandom numbers | |
MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers | |
CWE-327. Use of a broken or risky cryptographic algorithm | |
| CWE-330. Use of insufficiently random values |
| CWE-332. Insufficient entropy in PRNG |
| CWE-336. Same seed in PRNG |
| CWE-337. Predictable seed in PRNG |
Bibliography
...