ee3a611ce2
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
52 lines
1.4 KiB
Plaintext
52 lines
1.4 KiB
Plaintext
include::../summary.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../rationale.adoc[]
|
|
|
|
include::../impact.adoc[]
|
|
|
|
// How to fix it section
|
|
|
|
include::how-to-fix-it/java-se.adoc[]
|
|
|
|
== Resources
|
|
|
|
include::../common/resources/docs.adoc[]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/presentations.adoc[]
|
|
|
|
include::../common/resources/standards.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== is related to: S2245
|
|
|
|
=== on 22 Oct 2020, 10:37:32 Alexandre Gigleux wrote:
|
|
This rule should be made more generic and at minimum be supported by C#.
|
|
|
|
I would rename it "Pseudo-Random Number Generator (PRNG) seeds should not be predictable".
|
|
|
|
|
|
The test cases from the SARD Juliet Suite (\https://samate.nist.gov/SARD/testsuite.php) should be used as a reference to know what should be detected or not: CWE336_Same_Seed_in_PRNG
|
|
|
|
=== on 3 Nov 2020, 11:31:26 Pavel Mikula wrote:
|
|
This rule is not relevant for .NET. ``++System.Random++`` can have seed, but should not be used for cryptography as RSPEC-2245 defines. Security-related APIs like ``++RandomNumberGenerator++`` or ``++RNGCryptoServiceProvider++`` don't have a way to set seed (for obvious reasons).
|
|
|
|
endif::env-github,rspecator-view[]
|