rspec/rules/S4347/common/how-does-it-work.adoc

=== How does this work?

When the randomly generated data needs to be cryptographically strong, `SecureRandom` is the correct class to use. However, its documentation also cites that "any seed material passed to a `SecureRandom` object must be unpredictable". When no seed is passed by the user to the object, the `SecureRandom` object chooses an unpredictable seed by default. Therefore, the easiest way to fix the issue is to use the default constructor without any calls to `SecureObject.setSeed()`.

To go the extra mile, `SecureObject.getInstanceStrong()` returns an instance of `SecureObject` that is guaranteed to use a strong algorithm for its number generation.

If the randomly generated data is not used for cryptographic purposes and is not business critical, it may be a better choice to use `java.util.Random` instead. In this case, setting a predictable seed may be acceptable depending on the situation.
Modify rule S4347: Update to LayC format (APPSEC-975) (#2903) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-23 13:18:37 +02:00			`=== How does this work?`

			When the randomly generated data needs to be cryptographically strong, `SecureRandom` is the correct class to use. However, its documentation also cites that "any seed material passed to a `SecureRandom` object must be unpredictable". When no seed is passed by the user to the object, the `SecureRandom` object chooses an unpredictable seed by default. Therefore, the easiest way to fix the issue is to use the default constructor without any calls to `SecureObject.setSeed()`.

			To go the extra mile, `SecureObject.getInstanceStrong()` returns an instance of `SecureObject` that is guaranteed to use a strong algorithm for its number generation.

			If the randomly generated data is not used for cryptographic purposes and is not business critical, it may be a better choice to use `java.util.Random` instead. In this case, setting a predictable seed may be acceptable depending on the situation.