JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
A fixed seed is used instead of a random one.
The use of fixed seed is not recommended because it causes the generation of a predictable sequence of numbers.
In C#, the Random number can be generated with both the System.Random (cryptographically insecure) an the System.Security.Cryptography.RNGCryptoServiceProvide (cryptographically secure) class. However, the latter generates cryptographically secure random numbers and is hence preferred.
| Class Name | Hardcoded Random Seed (C#) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | |||||||||
| Mnemonic | CSHARP.HARDCODED.SEED | |||||||||
| Categories |
|
|||||||||
| Availability | Available for C# only. |
|||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Hardcoded Random Seed (C#)" |
Japanese (ja)
using System;
using System.Security.Cryptography;
namespace Random
{
public class Random
{
public static void Main(string[] args)
{
System.Random r = new System.Random(); // Insecure Random Number Generator (C#) warning issued here
int[] array = MkRandomArray(Math.Abs(r.Next() % 1000)); // Single-use Random Number Generator (C#) warning issued here
foreach (int i in array)
Console.WriteLine(i);
System.Random r2 = new System.Random(15); // Two warnings issued here:
// - Insecure Random Number Generator (C#)
// - Hardcoded Random Seed (C#)
for(int i = 0; i < 10; i++)
Console.WriteLine("Random value with fixed seed: "+r.Next()); // warning issued here
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length]; // Two warnings issued here
// - Insecure Random Number Generator (C#)
// - Single-use Random Number Generator (C#)
for (int pos = 0; pos < length; pos++)
result[pos] = new System.Random().Next();
return result;
}
}
}
In this example, the program could be modified as follows:
using System.Security.Cryptography;
private static RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
public static void Main(string[] args)
{
int[] array = MkRandomArray(Math.Abs(getRandomInt() % 1000));
foreach (int i in array)
Console.WriteLine(i);
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length];
for (int pos = 0; pos < length; pos++)
{
result[pos] = getRandomInt();
}
return result;
}
private static int getRandomInt() {
byte[] buffer = new byte[4];
rng.GetBytes(buffer);
return BitConverter.ToInt32(buffer, 0);
}
Use System.Security.Cryptography.RNGCryptoServiceProvider instead of System.Random. Store the random generator in a field instead of a local variable.
Either create a random seed or use a constructor without the seed parameter because typically if not specified the constructor creates an instance that already contains a seed randomly generated by default, as in the case of System.Random.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.