BADFUNC.RANDOM.RAND48 : rand48の使用

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

BADFUNC.RANDOM.RAND48 : rand48の使用

要旨

rand48 ファミリーの関数を使用しています。これらの関数はセキュアなアプリケーション向けに十分なランダム性を提供していません。

プロパティ

CWE

CWE:327

Use of a Broken or Risky Cryptographic Algorithm

CWE:332

Insufficient Entropy in PRNG

CWE:334

Small Space of Random Values

CWE:338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE:676

Use of Potentially Dangerous Function

DISA-6r1

DISA-6r1:V-222397

The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

DISA-6r1:V-222570

The application must utilize FIPS-validated cryptographic modules when signing application components.

DISA-6r1:V-222571

The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

DISA-6r1:V-222572

The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

DISA-6r1:V-222583

The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

DISA-5r3

DISA-5r3:V-69259

The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

DISA-5r3:V-70191

The application must utilize FIPS-validated cryptographic modules when signing application components.

DISA-5r3:V-70193

The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

DISA-5r3:V-70195

The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

DISA-5r3:V-70217

DISA-4r3

DISA-4r3:V-69259

The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

DISA-4r3:V-70191

The application must utilize FIPS-validated cryptographic modules when signing application components.

DISA-4r3:V-70193

The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

DISA-4r3:V-70195

The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

DISA-4r3:V-70217

DISA-3r10

DISA-3r10:V-6137

The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

Using components with known vulnerabilities

OWASP-2021

OWASP-2021:A2

Cryptographic failures

OWASP-2021:A4

Insecure design

OWASP-2021:A6

Vulnerable and outdated components