Insufficient Entropy from Veracode when generating random words using java.security.SecureRandom

Question

I have created a class that generates random words (Alphanumerical) using org.apache.commons.lang.RandomStringUtils.

    public String randomWord(int wordLength) {
        return RandomStringUtils.random(wordLength, 0, 0, true, true, null, new SecureRandom());
    }

This code is working perfect, however when I submit it to Veracode, I get an medium error "Insufficient Entropy (CWE ID 331)"

I thought that using SecureRandom would have be enough to fix this error but it is not and I have no idea why.

Why using SecureRandom is not good enough or secure enough?
Is there a way of using org.apache.commons.lang.RandomStringUtils without making Veracode unhappy? Is there any other secure library that could be used to generate secure random alphanumerical words?

This may help you https://github.com/Netflix/eureka/issues/932 — surendrapanday, Oct 26 '18 at 12:46

score 1 · Answer 1 · answered Apr 04 '22 at 18:15

SecureRandom is good enough to make a cryptographically secured pseudo random number generator. it doesnt require to setSeed in veracode.

the veracode raise this flag as it doesnt support apache RandomStringUtils.

verify this link for more info. and for your case you can mark this false positive. https://www.veracode.com/blog/research/cryptographically-secure-pseudo-random-number-generator-csprng

Insufficient Entropy from Veracode when generating random words using java.security.SecureRandom

1 Answers1