rspec/rules/S2245/java/rule.adoc

include::../description.adoc[]

As the ``++java.util.Random++`` class relies on a non-cryptographic pseudorandom number generator, this class and relating ``++java.lang.Math.random()++`` method should not be used for security-critical applications or for protecting sensitive data. In such context, the ``++java.security.SecureRandom++`` class which relies on a CSPRNG should be used in place.

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use a cryptographically secure pseudo random number generator (CSPRNG) like "java.security.SecureRandom" in place of a non-cryptographic PRNG.
* Use the generated random values only once.
* You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.

== Sensitive Code Example

----
Random random = new Random(); // Sensitive use of Random
byte bytes[] = new byte[20];
random.nextBytes(bytes); // Check if bytes is used for hashing, encryption, etc...
----

== Compliant Solution

[source,java]
----
SecureRandom random = new SecureRandom();
byte bytes[] = new byte[20];
random.nextBytes(bytes);
----

include::../see.adoc[]

* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
* https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]