SV.RANDOM

This error appears when using initializing an object of type 'java.util.Random'.

Vulnerability and risk

Using 'java.util.Random' can produce very predictable results. If two instances of Random are created with the same seed and sequence of method calls, they will generate the exact same results.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Use 'java.security.SecureRandom' instead. This class provides a cryptographically strong random number generator. SecureRandom still uses PRNG, which means they are using a deterministic algorithm to produce a pseudo-random number from a true random seed. SecureRandom produces non-deterministic output.

Example 1

12
13
14
15
16
17
18
19
20
    public String generateRandomSessionId() {
      Random random = new Random();
      random.setSeed(System.currentTimeMillis());
      return ("sessionId=" + random.nextInt(2000000000));
    }
    public String generateRandomNumberUsingMath() {
      double randomNum = Math.random();
      return (String.valueOf(randomNum));
    }

SV.RANDOM is reported for lines 13 and 18: Use of insecure Random number generator 'Random'.

External guidance

• CERT MSC02-J: Generate strong random numbers
• CWE-330: Use of Insufficiently Random Values
• OWASP A3:2017 Sensitive Data Exposure
• OWASP A2:2021 Cryptographic Failures
• STIG-ID:APP3150.2

Security training

Application security training materials provided by Secure Code Warrior.

• Insecure Randomness Training Video - Test your skills with a training example