59 lines
1.6 KiB
Plaintext
59 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Creating a new ``++Random++`` object each time a random value is needed is inefficient and may produce numbers which are not random depending on the JDK. For better efficiency and randomness, create a single ``++Random++``, then store, and reuse it.
|
|
|
|
|
|
The ``++Random()++`` constructor tries to set the seed with a distinct value every time. However there is no guarantee that the seed will be random or even uniformly distributed. Some JDK will use the current time as seed, which makes the generated numbers not random at all.
|
|
|
|
|
|
This rule finds cases where a new ``++Random++`` is created each time a method is invoked.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
public void doSomethingCommon() {
|
|
Random rand = new Random(); // Noncompliant; new instance created with each invocation
|
|
int rValue = rand.nextInt();
|
|
//...
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
private Random rand = SecureRandom.getInstanceStrong(); // SecureRandom is preferred to Random
|
|
|
|
public void doSomethingCommon() {
|
|
int rValue = this.rand.nextInt();
|
|
//...
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
A class which uses a ``++Random++`` in its constructor or in a static ``++main++`` function and nowhere else will be ignored by this rule.
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|