...
Using the std::rand()
function could lead to predictable random numbers.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC50-CPP | Medium | Unlikely | Low | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| bad-function (AUTOSAR.26.5.1A) | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC++-MSC50 | |||||||
Clang |
| cert-msc50-cpp | Checked by clang-tidy | ||||||
CodeSonar |
| BADFUNC.RANDOM.RAND | Use of rand | ||||||
Compass/ROSE |
| CC2.MSC30 | Fully implemented |
Helix QAC |
|
|
|
C++5028 | |||||
Klocwork |
|
| CERT.MSC.STD_RAND_CALL |
LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_CPP-MSC50-a | Do not use the rand() function for generating pseudorandom numbers | |||||||
Polyspace Bug Finder |
| CERT C++: MSC50-CPP | Checks for use of vulnerable pseudo-random number generator (rule partially covered) | ||||||
RuleChecker |
| bad-function (AUTOSAR.26.5.1A) | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | MSC51-CPP. Ensure your random number generator is properly seeded |
SEI CERT C Coding Standard | MSC30-C. Do not use the rand() function for generating pseudorandom numbers |
CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers |
MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values |
Bibliography
[ISO/IEC 9899:2011] | Subclause 7.22.2, "Pseudo-random Sequence Generation Functions" |
[ISO/IEC 14882-2014] | Subclause 26.5, "Random Number Generation" |
...
...