SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Predictable random number sequences can weaken the security of critical applications such as cryptography.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

MSC02-J

High

Probable

Medium

No

No

P12

P6

L1

L2

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.HARDCODED.SEED
JAVA.LIB.RAND.FUNC
JAVA.CRYPTO.RCF
JAVA.CRYPTO.RA
JAVA.CRYPTO.RF
JAVA.CRYPTO.BASE64
JAVA.CRYPTO.WHAF
JAVA.LIB.RAND.LEGACY.GEN

Hardcoded Random Seed
Insecure Random Number Generator
Risky Cipher Field
Risky Cryptographic Algorithm)
Risky Cryptographic Field
Unsafe Base64 Encoding
Weak Hash Algorithm Field
Legacy Random Generator

Coverity7.5RISKY_CRYPTOImplemented
Parasoft Jtest
9.5SECURITY.WSC.SRDImplementedSonarQube Java Plugin
Include Page
Parasoft_V
Parasoft_V
CRT.MSC02.SRDUse 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
SonarQube
Include Page
SonarQube
Java Plugin
_V
SonarQube
Java Plugin
_V
S2245
 

Related Vulnerabilities

CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.

Related Guidelines

SEI CERT C Coding Standard

MSC30-C. Do not use the rand() function for generating pseudorandom numbers

SEI CERT C++ Coding Standard

MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers

MITRE CWE

CWE-327, Use of a Broken or Risky Cryptographic Algorithm

CWE-330, Use of Insufficiently Random Values

CWE-332, Insufficient Entropy in PRNG

CWE-336, Same Seed in PRNG

CWE-337, Predictable Seed in PRNG

Bibliography

 


[API 2014

Class Random
 Class SecureRandom

[FindBugs 2008]

BC. Random objects created and used only once

 


[Monsch 2006]

 

...



...