27 lines
998 B
Plaintext
27 lines
998 B
Plaintext
|
=== Related: RSPEC-3329
|
||
|
|
|
||
|
|
=== Related: RSPEC-4347
|
||
|
|
|
||
|
|
=== On 2015-01-16T08:54:49Z Sébastien Gioria Wrote:
|
||
|
|
This rule should be tag OWASP-Top10. It's part of OWASP Top10 A6-Sensitive_Data_Exposure.
|
||
|
|
|
||
|
|
|
||
|
|
It could bee tag also :
|
||
|
|
|
||
|
|
|
||
|
|
* CWE Entry 310 on Cryptographic Issues (\http://cwe.mitre.org/data/definitions/310.html)
|
||
|
|
* CWE Entry 326 on Weak Encryption (\http://cwe.mitre.org/data/definitions/326.html)
|
||
|
|
|
||
|
|
=== On 2015-01-19T09:04:43Z Ann Campbell Wrote:
|
||
|
|
Thanks [~sebastien.gioria]
|
||
|
|
|
||
|
|
=== On 2018-07-27T20:50:24Z Ann Campbell Wrote:
|
||
|
|
\[~nicolas.harraudeau] where do you expect the issue to be raised? On the ``++rand()++`` call or where the value is used?
|
||
|
|
|
||
|
|
=== On 2018-07-30T10:05:05Z Nicolas Harraudeau Wrote:
|
||
|
|
\[~ann.campbell.2] On the rand() call. This is a hotspot because we are not yet able to detect if the context is dangerous or not.
|
||
|
|
|
||
|
|
|
||
|
|
We could later detect that an encryption function or a hash is using the generated value, but it would then be classified as a Vulnerability instead of a Hotspot.
|
||
|
|
|