JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
An insecure random number generator is used instead of a secure one.
In C#, the Random number can be generated with both the System.Random (cryptographically insecure) an the System.Security.Cryptography.RNGCryptoServiceProvide (cryptographically secure) class. However, the latter generates cryptographically secure random numbers and is hence preferred.
| Class Name | Insecure Random Number Generator (C#) | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | |||||||||||||||
| Mnemonic | CSHARP.LIB.RAND.FUNC | |||||||||||||||
| Categories |
|
|||||||||||||||
| Availability | Available for C# only. |
|||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Insecure Random Number Generator (C#)" |
Japanese (ja)
using System;
using System.Security.Cryptography;
namespace Random
{
public class Random
{
public static void Main(string[] args)
{
System.Random r = new System.Random(); // Insecure Random Number Generator (C#) warning issued here
int[] array = MkRandomArray(Math.Abs(r.Next() % 1000)); // Single-use Random Number Generator (C#) warning issued here
foreach (int i in array)
Console.WriteLine(i);
System.Random r2 = new System.Random(15); // Two warnings issued here:
// - Insecure Random Number Generator (C#)
// - Hardcoded Random Seed (C#)
for(int i = 0; i < 10; i++)
Console.WriteLine("Random value with fixed seed: "+r.Next()); // warning issued here
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length]; // Two warnings issued here
// - Insecure Random Number Generator (C#)
// - Single-use Random Number Generator (C#)
for (int pos = 0; pos < length; pos++)
result[pos] = new System.Random().Next();
return result;
}
}
}
In this example, the program could be modified as follows:
using System.Security.Cryptography;
private static RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
public static void Main(string[] args)
{
int[] array = MkRandomArray(Math.Abs(getRandomInt() % 1000));
foreach (int i in array)
Console.WriteLine(i);
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length];
for (int pos = 0; pos < length; pos++)
{
result[pos] = getRandomInt();
}
return result;
}
private static int getRandomInt() {
byte[] buffer = new byte[4];
rng.GetBytes(buffer);
return BitConverter.ToInt32(buffer, 0);
}
Use System.Security.Cryptography.RNGCryptoServiceProvider instead of System.Random. Store the random generator in a field instead of a local variable.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.