rspec/rules/S2119/java/rule.adoc

== Why is this an issue?

Creating a new ``++Random++`` object each time a random value is needed is inefficient and may produce numbers which are not random depending on the JDK. For better efficiency and randomness, create a single ``++Random++``, then store, and reuse it.


The ``++Random()++`` constructor tries to set the seed with a distinct value every time. However there is no guarantee that the seed will be random or even uniformly distributed. Some JDK will use the current time as seed, which makes the generated numbers not random at all.


This rule finds cases where a new ``++Random++`` is created each time a method is invoked.


=== Noncompliant code example

[source,java]
----
public void doSomethingCommon() {
  Random rand = new Random();  // Noncompliant; new instance created with each invocation
  int rValue = rand.nextInt();
  //...
----


=== Compliant solution

[source,java]
----
private Random rand = SecureRandom.getInstanceStrong();  // SecureRandom is preferred to Random

public void doSomethingCommon() {
  int rValue = this.rand.nextInt();
  //...
----


=== Exceptions

A class which uses a ``++Random++`` in its constructor or in a static ``++main++`` function and nowhere else will be ignored by this rule.

== Resources

* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Save and re-use this "Random".


'''
== Comments And Links
(visible only on this page)

=== on 8 Oct 2014, 18:10:47 Ann Campbell wrote:
\[~nicolas.peru] to what degree do we see/pay attention to "run once" annotations during analysis, e.g. @PostConstruct?

=== on 22 Oct 2014, 19:14:36 Nicolas Peru wrote:
At the moment : none. 

So this rule won't detect that your random object is initialized in an init method.


It might makes more sense to actually detect Random local variables. 

=== on 22 Oct 2014, 19:40:32 Ann Campbell wrote:
\[~nicolas.peru] you mean local ``++Random++`` variables, right? :-)

(I did actually have to read that twice & note the capital letter to understand your meaning :-) )


I'd say that as written, this rule is about local ``++Random++``s (did you assign it back to me because you don't agree?), but I was hoping to be able to make it smarter. Oh well.

=== on 15 Aug 2018, 18:28:35 Nicolas Harraudeau wrote:
This RSPEC is for now limited to detecting local variables of type ``++java.util.Random++``.

It could later cover cases where the Random object is not even assigned:

----
(new Random()).nextInt()
----

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Creating a new ``++Random++`` object each time a random value is needed is inefficient and may produce numbers which are not random depending on the JDK. For better efficiency and randomness, create a single ``++Random++``, then store, and reuse it.


			The ``++Random()++`` constructor tries to set the seed with a distinct value every time. However there is no guarantee that the seed will be random or even uniformly distributed. Some JDK will use the current time as seed, which makes the generated numbers not random at all.


Modify rule S2119[Java]: the rule now also detect when not assigned locally 2021-11-12 17:30:01 +01:00			This rule finds cases where a new ``++Random++`` is created each time a method is invoked.
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public void doSomethingCommon() {`
			`Random rand = new Random(); // Noncompliant; new instance created with each invocation`
			`int rValue = rand.nextInt();`
			`//...`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`private Random rand = SecureRandom.getInstanceStrong(); // SecureRandom is preferred to Random`

			`public void doSomethingCommon() {`
			`int rValue = this.rand.nextInt();`
			`//...`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Exceptions`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
			A class which uses a ``++Random++`` in its constructor or in a static ``++main++`` function and nowhere else will be ignored by this rule.

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Save and re-use this "Random".`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 8 Oct 2014, 18:10:47 Ann Campbell wrote:`
			`\[~nicolas.peru] to what degree do we see/pay attention to "run once" annotations during analysis, e.g. @PostConstruct?`

			`=== on 22 Oct 2014, 19:14:36 Nicolas Peru wrote:`
			`At the moment : none.`

			`So this rule won't detect that your random object is initialized in an init method.`


			`It might makes more sense to actually detect Random local variables.`

			`=== on 22 Oct 2014, 19:40:32 Ann Campbell wrote:`
			\[~nicolas.peru] you mean local ``++Random++`` variables, right? :-)

			`(I did actually have to read that twice & note the capital letter to understand your meaning :-) )`


			I'd say that as written, this rule is about local ``++Random++``s (did you assign it back to me because you don't agree?), but I was hoping to be able to make it smarter. Oh well.

			`=== on 15 Aug 2018, 18:28:35 Nicolas Harraudeau wrote:`
			This RSPEC is for now limited to detecting local variables of type ``++java.util.Random++``.

			`It could later cover cases where the Random object is not even assigned:`

			`----`
			`(new Random()).nextInt()`
			`----`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`