Skip to content

Latest commit

 

History

History
29 lines (19 loc) · 1.15 KB

InsecureRandom.md

File metadata and controls

29 lines (19 loc) · 1.15 KB

Pattern: Use of java.util.Random

Issue: -

Description

Reports usages of java.util.Random, which can produce very predictable results. If two instances of Random are created with the same seed and sequence of method calls, they will generate the exact same results. Use java.security.SecureRandom instead, which provides a cryptographically strong random number generator.

SecureRandom uses PRNG, which means they are using a deterministic algorithm to produce a pseudo-random number from a true random seed. SecureRandom produces non-deterministic output.

By default, this rule ignores test classes are ignored.

Example of violations:

 def r1 = new Random()
 def r2 = new java.util.Random()
 Math.random()
 java.lang.Math.random()

 // this is OK
 new java.security.SecureRandom()
 new SecureRandom()

Further Reading