SV.RANDOM
This error appears when using initializing an object of type 'java.util.Random'.
Vulnerability and risk
Using 'java.util.Random' can produce very predictable results. If two instances of Random are created with the same seed and sequence of method calls, they will generate the exact same results.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Use 'java.security.SecureRandom' instead. This class provides a cryptographically strong random number generator. SecureRandom still uses PRNG, which means they are using a deterministic algorithm to produce a pseudo-random number from a true random seed. SecureRandom produces non-deterministic output.
Example 1
public String generateRandomSessionId() {
Random random = new Random();
random.setSeed(System.currentTimeMillis());
return ("sessionId=" + random.nextInt(2000000000));
}
public String generateRandomNumberUsingMath() {
double randomNum = Math.random();
return (String.valueOf(randomNum));
}
SV.RANDOM is reported for lines 13 and 18: Use of insecure Random number generator 'Random'.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.