Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4347

"SecureRandom" seeds should not be predictable

    Details

    • Message:
      Change this seed value to something unpredictable, or remove the seed.
    • Highlighting:
      Hide

      The call to SecureRandom.setSeed() or the SecureRandom(byte[]) constructor call

      Show
      The call to SecureRandom.setSeed() or the SecureRandom(byte[]) constructor call
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-330, CWE-332, CWE-336, CWE-337
    • OWASP:
      A6

      Description

      The java.security.SecureRandom class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the SecureRandom implementation.

      This rule raises an issue when SecureRandom.setSeed() or SecureRandom(byte[]) are called with a seed that is either of:

      • a constant
      • System.currentTimeMillis()

      Noncompliant Code Example

      SecureRandom sr = new SecureRandom();
      sr.setSeed(123456L); // Noncompliant
      int v = sr.next(32);
      
      sr = new SecureRandom("abcdefghijklmnop".getBytes("us-ascii")); // Noncompliant
      v = sr.next(32);
      

      Compliant Solution

      SecureRandom sr = new SecureRandom();
      int v = sr.next(32);
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: