Quartznet: Insufficient Entropy in System.Random

Created on 23 Nov 2017  路  4Comments  路  Source: quartznet/quartznet

Quartz.Net is being flagged for using System.Random instead of a secure random number generator.
System.Random can be replaced by System.Security.Cryptography.RNGCryptoServiceProvider

http://cwe.mitre.org/data/definitions/331.html

Version: 6.2.1

Version: 6.2.1

Expected behavior

No security issues.

Actual behavior

Security issues flagged.

Steps to reproduce

Run a security scanner that doesn't like System.Random.

picture dbraaten42

Most helpful comment

I created a pull request to fix this issue. https://github.com/quartznet/quartznet/pull/552

picture dbraaten42 on 24 Nov 2017
👍42 🎉2 😄2

All 4 comments

I created a pull request to fix this issue. https://github.com/quartznet/quartznet/pull/552

dbraaten42 picture dbraaten42 on 24 Nov 2017
👍42 🎉2 😄2

Thanks for reporting this. May I ask what is flagging this? As you may know, Quartz.NET does not use random values to anything that would actually require strong entropy guarantees. Random values are only used for trigger ids and sleep times.

lahma picture lahma on 2 Dec 2017

The scanner does care that Quartz.Net is using System.Random in a perfectly ok manner, it is only flagging the use of a prohibited API. If you search for "static security scanner" it should be on the first page of results.

Thank you for responding.

dbraaten42 picture dbraaten42 on 4 Dec 2017

PR merged, thank you.

lahma picture lahma on 30 Dec 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MuraliM picture MuraliM  路  3Comments
rr-media picture rr-media  路  5Comments
lucamazzanti picture lucamazzanti  路  15Comments
frapid picture frapid  路  45Comments
DixonDs picture DixonDs  路  27Comments