V5307. OWASP. Potentially predictable seed is used in pseudo-random number generator.
The analyzer has detected cases where a pseudo-random number generator is used. It may result in insufficient randomness or predictability of the generated number.
Case 1
A new object of the 'Random' type is created every time when a random value is required. This is inefficient and may result in creating numbers that are not random enough depending on the JDK.
Look at an example:
public void test() {
Random rnd = new Random();
}
For better efficiency and a more random distribution, create an instance of the 'Random' class, save and reuse it.
static Random rnd = new Random();
public void test() {
int i = rnd.nextInt();
}
Case 2
The analyzer has detected a suspicious code that initializes the pseudo-random number generator with a constant value.
public void test() {
Random rnd = new Random(4040);
}
Generated numbers are predictable. They are repeated every time the program runs. To avoid this, do not use a constant number. The developers may have used the current system time instead:
static Random rnd = new Random(System.currentTimeMillis());
public void test() {
int i = rnd.nextInt();
}