The java.security.SecureRandom
class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it
with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the
SecureRandom
implementation.
This rule raises an issue when SecureRandom.setSeed()
or SecureRandom(byte[])
are called with a seed that is either one
of:
SecureRandom sr = new SecureRandom(); sr.setSeed(123456L); // Noncompliant int v = sr.next(32); sr = new SecureRandom("abcdefghijklmnop".getBytes("us-ascii")); // Noncompliant v = sr.next(32);
SecureRandom sr = new SecureRandom(); int v = sr.next(32);