Recipe Name:
Use SecureRandom instead of Random
Description:
Using Random can lead to predictable randomness
Level:
error
Language:
- java
Tags:
- security
- SEI CERT
Documentation
Secure coding practices prescribe that the use of java.util.Random should be avoided. java.security.SecureRandom should be used instead.
Using Random can lead to predictable randomness, which is undesirable in the case of:
- Generated secrets
- CSRF Tokens
- Login and password reset tokens
Random rnd = new Random();After
SecureRandom rnd = new SecureRandom();References
Recipe
id: scw:crypto:secure-random
version: 10
metadata:
name: Use SecureRandom instead of Random
shortDescription: Using Random can lead to predictable randomness
level: error
language: java
cweCategory: 330
enabled: true
descriptionFile: Java/Crypto/descriptions/Use_SecureRandom_instead_of_Random.html
tags: security;SEI CERT
search:
instanceCreation:
type:
reference: java.util.Random
checkInheritance: false
availableFixes:
- name: Use SecureRandom instead
actions:
- rewrite:
to: new java.security.SecureRandom()
- modifyAssignedVariable:
type: java.security.SecureRandom