ee3a611ce2
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
8 lines
920 B
Plaintext
8 lines
920 B
Plaintext
=== How does this work?
|
|
|
|
When the randomly generated data needs to be cryptographically strong, `SecureRandom` is the correct class to use. However, its documentation also cites that "any seed material passed to a `SecureRandom` object must be unpredictable". When no seed is passed by the user to the object, the `SecureRandom` object chooses an unpredictable seed by default. Therefore, the easiest way to fix the issue is to use the default constructor without any calls to `SecureObject.setSeed()`.
|
|
|
|
To go the extra mile, `SecureObject.getInstanceStrong()` returns an instance of `SecureObject` that is guaranteed to use a strong algorithm for its number generation.
|
|
|
|
If the randomly generated data is not used for cryptographic purposes and is not business critical, it may be a better choice to use `java.util.Random` instead. In this case, setting a predictable seed may be acceptable depending on the situation.
|