105 lines
3.0 KiB
Plaintext
105 lines
3.0 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Creating a new `Random` object each time a random value is needed is inefficient and may produce numbers that are not random, depending on
|
|
the JDK. For better efficiency and randomness, create a single `Random`, store it, and reuse it.
|
|
|
|
The `Random()` constructor tries to set the seed with a distinct value every time. However, there is no guarantee that the seed will be
|
|
randomly or uniformly distributed. Some JDK will use the current time as seed, making the generated numbers not random.
|
|
|
|
This rule finds cases where a new `Random` is created each time a method is invoked.
|
|
|
|
=== Exceptions
|
|
|
|
This rule doesn't apply to classes that use a `Random` in their constructors or the static `main` function and nowhere else.
|
|
|
|
== How to fix it
|
|
|
|
Define and reuse the `Random` object.
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
class MyClass {
|
|
|
|
public void doSomethingCommon() {
|
|
Random random = new Random(); // Noncompliant - new instance created with each invocation
|
|
int rValue = random.nextInt();
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
|
----
|
|
class MyClass {
|
|
private Random random = new Random(); // Compliant
|
|
|
|
public void doSomethingCommon() {
|
|
int rValue = this.random.nextInt();
|
|
}
|
|
}
|
|
----
|
|
|
|
== Resources
|
|
|
|
=== Documentation
|
|
* https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/util/Random.html[Oracle Java SE - Random]
|
|
|
|
|
|
=== Articles & blog posts
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
|
|
* https://www.baeldung.com/java-generating-random-numbers[Baeldung - generating random number]
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Save and re-use this "Random".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 8 Oct 2014, 18:10:47 Ann Campbell wrote:
|
|
\[~nicolas.peru] to what degree do we see/pay attention to "run once" annotations during analysis, e.g. @PostConstruct?
|
|
|
|
=== on 22 Oct 2014, 19:14:36 Nicolas Peru wrote:
|
|
At the moment : none.
|
|
|
|
So this rule won't detect that your random object is initialized in an init method.
|
|
|
|
|
|
It might makes more sense to actually detect Random local variables.
|
|
|
|
=== on 22 Oct 2014, 19:40:32 Ann Campbell wrote:
|
|
\[~nicolas.peru] you mean local ``++Random++`` variables, right? :-)
|
|
|
|
(I did actually have to read that twice & note the capital letter to understand your meaning :-) )
|
|
|
|
|
|
I'd say that as written, this rule is about local ``++Random++``s (did you assign it back to me because you don't agree?), but I was hoping to be able to make it smarter. Oh well.
|
|
|
|
=== on 15 Aug 2018, 18:28:35 Nicolas Harraudeau wrote:
|
|
This RSPEC is for now limited to detecting local variables of type ``++java.util.Random++``.
|
|
|
|
It could later cover cases where the Random object is not even assigned:
|
|
|
|
----
|
|
(new Random()).nextInt()
|
|
----
|
|
|
|
endif::env-github,rspecator-view[]
|