Create rule S4347: Secure random number generators must not output predictable values #3837
Conversation
jamie-anderson-sonarsource
changed the title
egon-okerman-sonarsource
left a comment
egon-okerman-sonarsource
left a comment
There was a problem hiding this comment.
Mostly okay, just one compliant example should be changed I think.
| digest.NextBytes(random); | ||
|
|
||
| IRandomGenerator vmpc = new VmpcRandomGenerator(); | ||
| vmpc.AddSeedMaterial(Guid.NewGuid().ToByteArray()); |
There was a problem hiding this comment.
I think it is preferable to use something else (e.g. turning SecureRandom.GenerateSeed into a byte array) here.
I'm not an expert on the matter, but reading the Guid.NewGuid docs:
On non-Windows platforms, starting with .NET 6, this function calls the OS's underlying cryptographically secure pseudo-random number generator (CSPRNG) to generate 122 bits of strong entropy. In previous versions of .NET, the entropy is not guaranteed to be generated by a CSPRNG.
It is recommended that applications not use the NewGuid method for cryptographic purposes.
|
|
|
Hey @jamie-anderson-sonarsource , there are two instances in the
You can see it if you click the preview on the top of the PR. |
egon-okerman-sonarsource
force-pushed
the
rule/S4347-add-csharp
branch
from
895f8d5 to
d04104d
Compare
egon-okerman-sonarsource
force-pushed
the
rule/S4347-add-csharp
branch
from
d04104d to
91f8340
Compare
|
@gregory-paidis-sonarsource I resolved the problems, should be okay now. |
|
|
3 participants
You can preview this rule here (updated a few minutes after each push).
The shared files referenced by this PR are due to be changed by #3836. The shared content will no longer reference
SecureRandomand will instead generically reference secure random number generators.Review
A dedicated reviewer checked the rule description successfully for: