This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!


ID: java-security/avoid-random

Language: Java

Severity: Notice

Category: Security

CWE: 330


Functions as Math.random() and objects like java.util.Random() do not provide strong enough randomness. Consider using instead.

Non-Compliant Code Examples

public class ImageServlet {

  public static final int PINCODE = new java.util.Random().nextInt(10000);

      method = {GET, POST},
      value = "/challenge/logo",
      produces = MediaType.IMAGE_PNG_VALUE)
  public byte[] logo() throws IOException {
    byte[] in = getBytes();

    String pincode = String.format("%04d", PINCODE);

    in[81216] = (byte) pincode.charAt(0);
    in[81217] = (byte) pincode.charAt(1);
    in[81218] = (byte) pincode.charAt(2);
    in[81219] = (byte) pincode.charAt(3);

    return in;
public class ImageServlet {

  public static final int PINCODE = new Random().nextInt(10000);

      method = {GET, POST},
      value = "/challenge/logo",
      produces = MediaType.IMAGE_PNG_VALUE)
  public byte[] logo() throws IOException {
    byte[] in = getBytes();

    String pincode = String.format("%04d", PINCODE);

    in[81216] = (byte) pincode.charAt(0);
    in[81217] = (byte) pincode.charAt(1);
    in[81218] = (byte) pincode.charAt(2);
    in[81219] = (byte) pincode.charAt(3);

    return in;
public class ImageServlet {

  public static final int PINCODE = new Random().nextInt(10000);

      method = {GET, POST},
      value = "/challenge/logo",
      produces = MediaType.IMAGE_PNG_VALUE)
  public byte[] logo() throws IOException {
    var v = Math.random();

Compliant Code Examples

import org.apache.commons.codec.binary.Hex;

class Class {
    String generateSecretToken() {
        SecureRandom secRandom = new SecureRandom();

        byte[] result = new byte[32];
        return Hex.encodeHexString(result);