HARDCODED.SEED : Hardcoded Seed in PRNG

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

A pseudorandom number generator (PRNG) is passed a hard-coded seed value.

If a PRNG is always initialized with the same seed, it will always produce the same sequence of values. If the resulting pseudorandom numbers are used in a security context, this represents a security risk.

Class Name

Hardcoded Seed in PRNG

Significance

security

Mnemonic

HARDCODED.SEED

Categories

CWE	CWE:336	Same Seed in Pseudo-Random Number Generator (PRNG)
CERT-C	CERT-C:MSC32-C	Properly seed pseudorandom number generators
	CERT-C:MSC41-C	Never hard code sensitive information
CERT-CPP	CERT-CPP:MSC51-CPP	Ensure your random number generator is properly seeded
OWASP-2017	OWASP-2017:A6	Security misconfiguration
OWASP-2021	OWASP-2021:A5	Security misconfiguration

Availability

Available for C and C++.

Enabling

Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += discard class="Hardcoded Seed in PRNG"

#include <stdlib.h>
#include <stdio.h>

unsigned int my_hardcoded_seed(){return 5;}
unsigned int my_random_seed();                            /* defined elsewhere; doesn't return a hardcoded value */

void test_hardcoded_seed(){
  int i;
  srand(5);                    /* 'Hardcoded Seed in PRNG' warning issued here */
  for (i = 0; i<10; i++){
    printf("%d\n", rand());    /* the same sequence of 10 numbers is printed here every time test_hardcoded_seed() is called */
  }

  srand(my_hardcoded_seed());  /* 'Hardcoded Seed in PRNG' warning issued here */
  for (i = 0; i<10; i++){
    printf("%d\n", rand());    /* the same sequence of 10 numbers is printed here every time test_hardcoded_seed() is called */
  }

  srand(my_random_seed());                                /* ok: seed is not hardcoded */
  for (i = 0; i<10; i++){
    printf("%d\n", rand());
  }
}

This class is defined using HARDCODED_ARGS_* rules in the general template configuration file, and covers various common procedures that take PRNG seed parameters. For a full list, see the "Factory Settings" in the documentation for HARDCODED_ARGS_*.

To include an additional function or set of functions in the checks for this class, create a new set of HARDCODED_ARGS_* rules, where:

HARDCODED_ARGS_REGEX matches the function or set of functions you want to check.
HARDCODED_ARGS_LIST identifies the parameter position (or positions) that contains a PRNG seed value that should not be hardcoded.
HARDCODED_ARGS_CLASS_NAME = Hardcoded Seed in PRNG
HARDCODED_ARGS_CATEGORIES and HARDCODED_ARGS_BASE_RANK have the same settings as in the existing Hardcoded Seed in PRNG rules.

To remove a function or set of functions from the checks for this class, edit the configuration file to comment out the corresponding set of HARDCODED_ARGS_* rules.

The following configuration file parameters affect checks for this warning class.

HARDCODED.SEED : Hardcoded Seed in PRNG

Summary

Properties

Example

Notes

Relevant Configuration File Parameters