Avoid pseudo-random numbers

Metadata

ID: csharp-security/no-pseudo-random

Language: C#

Severity: Notice

Category: Security

CWE: 338

Description

Avoid pseudo-random generator as they generate numbers that are easy to guess. Prefer more secure, cryptographic-friendly random generators.

Learn More

Non-Compliant Code Examples

class MyClass {
    public static void routine()
    {
        var random = new Random();
        var bytes = new byte[16];
        var randomizeTwice = true;
        var randomizeThrice = false;
        random.NextBytes(bytes);
        if (randomizeTwice) {
            random.NextBytes(bytes);
        }
        if (randomizeThrice) {
            new Random().NextBytes(bytes);
        }
    }
}

Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void routine()
    {
        var random = RandomNumberGenerator.Create();
        byte[] randomData = new byte[4];
        randomGenerator.GetBytes(randomData);
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes