Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Kotlin static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your KOTLIN code

"SecureRandom" seeds should not be predictable

intentionality - logical

security

Vulnerability

CriticalSonarSource default severity
click to learn more

Why is this an issue?

The java.security.SecureRandom class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the SecureRandom implementation.

This rule raises an issue when SecureRandom.setSeed() or SecureRandom(byte[]) are called with a seed that is either one of:

a constant
the system time

Noncompliant code example

val sr = SecureRandom()
sr.setSeed(123456L) // Noncompliant
val v = sr.nextInt()

val sr = SecureRandom("abcdefghijklmnop".toByteArray(charset("us-ascii"))) // Noncompliant
val v = sr.nextInt()

Compliant solution

val sr = SecureRandom()
val v = sr.nextInt()

Resources

OWASP Top 10 2021 Category A2 - Cryptographic Failures
OWASP Top 10 2017 Category A6 - Security Misconfiguration
MITRE, CWE-330 - Use of Insufficiently Random Values
MITRE, CWE-332 - Insufficient Entropy in PRNG
MITRE, CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)
MITRE, CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)
CERT, MSC63J. - Ensure that SecureRandom is properly seeded

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted