JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
A fixed seed is used instead of a random one.
The use of fixed seed is not recommended because causes the generation of a predictable sequence of numbers.
In C#, the Random number can be generated with both the System.Random (cryptographically insecure) an the System.Security.Cryptography.RNGCryptoServiceProvide (cryptographically secure) class. However, the latter generates cryptographically secure random numbers and is hence preferred.
| クラス名 | Hardcoded Random Seed (C#) | |||
|---|---|---|---|---|
| 日本語クラス名 | Hardcoded Random Seed (C#) | |||
| クラス分類 | セキュリティ (security) | |||
| ニーモニック | CSHARP.HARDCODED.SEED | |||
| カテゴリー |
|
|||
| 対応言語 | C# で利用可能です。 |
|||
| 有効/無効設定 | このワーニングクラスのチェックはデフォルトで有効になっています。チェックを無効にするにはプロジェクト設定ファイル
(configuration file)に以下の WARNING_FILTER ルールを追加してください。
WARNING_FILTER += discard class="Hardcoded Random Seed (C#)" |
English (en)
using System;
using System.Security.Cryptography;
namespace Random
{
public class Random
{
public static void Main(string[] args)
{
System.Random r = new System.Random(); // Insecure Random Number Generator (C#) warning issued here
int[] array = MkRandomArray(Math.Abs(r.Next() % 1000)); // Single-use Random Number Generator (C#) warning issued here
foreach (int i in array)
Console.WriteLine(i);
System.Random r2 = new System.Random(15); // Two warnings issued here:
// - Insecure Random Number Generator (C#)
// - Hardcoded Random Seed (C#)
for(int i = 0; i < 10; i++)
Console.WriteLine("Random value with fixed seed: "+r.Next()); // warning issued here
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length]; // Two warnings issued here
// - Insecure Random Number Generator (C#)
// - Single-use Random Number Generator (C#)
for (int pos = 0; pos < length; pos++)
result[pos] = new System.Random().Next();
return result;
}
}
}
In this example, the program could be modified as follows:
using System.Security.Cryptography;
private static RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
public static void Main(string[] args)
{
int[] array = MkRandomArray(Math.Abs(getRandomInt() % 1000));
foreach (int i in array)
Console.WriteLine(i);
}
private static int[] MkRandomArray(int length)
{
int[] result = new int[length];
for (int pos = 0; pos < length; pos++)
{
result[pos] = getRandomInt();
}
return result;
}
private static int getRandomInt() {
byte[] buffer = new byte[4];
rng.GetBytes(buffer);
return BitConverter.ToInt32(buffer, 0);
}
Use System.Security.Cryptography.RNGCryptoServiceProvider instead of System.Random. Store the random generator in a field instead of a local variable.
Either create a random seed or use a constructor without the seed parameter because typically if not specified the constructor creates an instance that already contains a seed randomly generated by default, as in the case of System.Random.
設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。