Random Number Generation: Do not manually define seeds for SecureRandom class :: Recipe Details

Recipe Name:

Random Number Generation: Do not manually define seeds for SecureRandom class

Description:

Do not use your own defined seeds

Level:

error

Language:

java

Tags:

security

Documentation

Secure coding practices prescribe that the seed value for the java.security.SecureRandom should not be set manually. Instead, the class should generate a secure value by itself.

Using a manually set seed can lead to predictable randomness, which is undesirable in the case of:

Generated secrets
CSRF Tokens
Login and password reset tokens

Before

byte[] seed = "Custom seed".getBytes();
  SecureRandom rnd = new SecureRandom(seed);
  rnd.setSeed(seed);

After

byte[] seed = "Custom seed".getBytes();
  SecureRandom rnd = new SecureRandom();

Recipe

id: scw:crypto:secure-random-seed-setter
version: 10
metadata:
  name: 'Random Number Generation: Do not manually define seeds for SecureRandom class'
  shortDescription: Do not use your own defined seeds
  level: error
  language: java
  scwCategory: broken_cryptography:improper_use_of_cryptography_algorithm
  enabled: true
  comment: ""
  descriptionFile: Java/Crypto/descriptions/RNG_Do_not_manually_define_seeds_for_SecureRandom_class.html
  tags: security
search:
  methodcall:
    name: setSeed
    type: java.security.SecureRandom
availableFixes:
- name: Remove setSeed call
  actions:
  - remove:
      target: self