JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
Use of legacy random generator.
Random numbers can be generated with both the java.util.Random and the java.security.SecureRandom class. However, the latter generates cryptographically secure random numbers and is hence preferred. Moreover, recreating the random generator every time that a random number is needed results in a waste of resources. Java 17 provides the java.util.random.RandomGenerator interface. The objects implementing RandomGenerator are typically not cryptographically secure. Note, however, that SecureRandom does implement the RandomGenerator interface, so that instances of SecureRandom may be used interchangeably with other types of pseudorandom generators in applications that do not require a secure generator.
| Class Name | Legacy Random Generator (Java) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | ||||||||||||||||||
| Mnemonic | JAVA.LIB.RAND.LEGACY.GEN | ||||||||||||||||||
| Categories |
|
||||||||||||||||||
| Availability | Available for Java and Kotlin. |
||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Legacy Random Generator (Java)" |
Japanese (ja)
import java.util.random.RandomGenerator;
import java.util.random.RandomGeneratorFactory;
public class Main {
public static void main(String[] args) {
RandomGenerator wrg_1 = RandomGenerator.of("Random"); /* warnings of two classes issued here:
* Legacy Random Generator (Java)
* Insecure Random Number Generator (Java)
*/
wrg_1.nextInt();
RandomGeneratorFactory<RandomGenerator> wrgf = RandomGeneratorFactory.of("Random"); /* warnings of two classes issued here:
* Legacy Random Generator (Java)
* Insecure Random Number Generator (Java)
*/
RandomGenerator wrg_2 = wrgf.create();
wrg_2.nextInt();
}
}
Use a non-legacy generator such as L64X128MixRandom instead of Random. The L64X128MixRandom has a good balance algorithm, and is suitable for both single-threaded and multi-threaded applications when used properly (a separate instance for each thread). If an application requires a cryptographically secure random number generator, it should use the SecureRandom generator.
RandomGenerator rg_1 = RandomGenerator.of("L64X128MixRandom"); // Insecure Random Number Generator (Java) warning issued here
rg_1.nextInt();
RandomGeneratorFactory<RandomGenerator> rgf = RandomGeneratorFactory.of("L64X128MixRandom"); // Insecure Random Number Generator (Java) warning issued here
RandomGenerator rg_2 = rgf.create();
rg_2.nextInt();
RandomGenerator srg_1 = RandomGenerator.of("SecureRandom");
srg.nextInt();
RandomGeneratorFactory<RandomGenerator> srgf = RandomGeneratorFactory.of("SecureRandom");
RandomGenerator srg_2 = srgf.create();
srg_2.nextInt();
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.