Introduced protections against predictable RNG abuse

[zcarroll4]

This change replaces all new instances of java.util.Random with the marginally slower, but much more secure java.security.SecureRandom.

We have to work pretty hard to get computers to generate genuinely unguessable random bits. The java.util.Random type uses a method of pseudo-random number generation that unfortunately emits fairly predictable numbers.

If the numbers it emits are predictable, then it's obviously not safe to use in cryptographic operations, file name creation, token construction, password generation, and anything else that's related to security. In fact, it may affect security even if it's not directly obvious.

Switching to a more secure version is simple and our changes all look something like this:

- Random r = new Random();
+ Random r = new java.security.SecureRandom();

More reading

• https://owasp.org/www-community/vulnerabilities/Insecure_Randomness
• https://metebalci.com/blog/everything-about-javas-securerandom/
• https://cwe.mitre.org/data/definitions/330.html

Powered by: pixeebot (codemod ID: pixee:java/secure-random)

[chirlu]

Is this some kind of advertisement/spam?

[buchen]

Is this some kind of advertisement/spam?

I'd say advertisement.

I do not think the change is relevant. It either changes tests or the random generation of new colors. I do not see it addressing any security relevant code.

[zcarroll4]

Not an ad but it was generated by Pixee as we attempt to generate findings for software vulnerabilities in open source code. Though Pixeebot generated a valid suggestion from a security perspective, (as was already noted above) this situation does not require more security and the current method is more performant. It is understandable that you close the PR. Thank you for being a good sport about this.