This rule enforces the use of secure and unpredictable random numbers in Kotlin applications. Using pseudo-random numbers can make your code vulnerable to attacks because pseudo-random numbers follow a deterministic sequence that can be predicted if the initial seed is known. This is especially crucial in contexts such as generating encryption keys, generating random identifiers, or performing any other security-related functionalities.
To adhere to this rule, avoid using SecureRandom with a fixed seed using the setSeed() method or passing a byte array to the SecureRandom constructor. Both of these methods produce pseudo-random numbers, which can lead to vulnerabilities in your code. Also, avoid reseeding a SecureRandom instance with a predictable value, such as the current time.
Instead, create a SecureRandom instance without a set seed, or use SecureRandom.getInstanceStrong(). Following these best practices helps you generate secure and unpredictable random numbers in your Kotlin applications.
Non-Compliant Code Examples
importjava.security.SecureRandom// Setting a fixed numeric seed
valrandom1=SecureRandom()random1.setSeed(123456L)// Noncompliant
// Setting a fixed string seed
valrandom2=SecureRandom("myseed".toByteArray())// Noncompliant
// Reseeding with predictable value
valrandom3=SecureRandom()valtime=System.currentTimeMillis()random3.setSeed(time)// Noncompliant: timestamp is predictable
Compliant Code Examples
importjava.security.SecureRandom// Let SecureRandom choose its own seed
valrandom1=SecureRandom()valbytes=random1.nextBytes(32)// Use strong instance (preferred)
valrandom2=SecureRandom.getInstanceStrong()valnumber=random2.nextInt()
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.