54 lines
1.5 KiB
Plaintext
54 lines
1.5 KiB
Plaintext
include::../summary.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../rationale.adoc[]
|
|
|
|
include::../impact.adoc[]
|
|
|
|
// How to fix it section
|
|
|
|
include::how-to-fix-it/java-se.adoc[]
|
|
|
|
== Resources
|
|
|
|
include::../common/resources/docs.adoc[]
|
|
|
|
* Java Documentation - https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/SecureRandom.html[Class `java.security.SecureRandom`]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/presentations.adoc[]
|
|
|
|
include::../common/resources/standards-mobile.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== is related to: S2245
|
|
|
|
=== on 22 Oct 2020, 10:37:32 Alexandre Gigleux wrote:
|
|
This rule should be made more generic and at minimum be supported by C#.
|
|
|
|
I would rename it "Pseudo-Random Number Generator (PRNG) seeds should not be predictable".
|
|
|
|
|
|
The test cases from the SARD Juliet Suite (\https://samate.nist.gov/SARD/testsuite.php) should be used as a reference to know what should be detected or not: CWE336_Same_Seed_in_PRNG
|
|
|
|
=== on 3 Nov 2020, 11:31:26 Pavel Mikula wrote:
|
|
This rule is not relevant for .NET. ``++System.Random++`` can have seed, but should not be used for cryptography as RSPEC-2245 defines. Security-related APIs like ``++RandomNumberGenerator++`` or ``++RNGCryptoServiceProvider++`` don't have a way to set seed (for obvious reasons).
|
|
|
|
endif::env-github,rspecator-view[]
|