[JAVA-2498] Standard Random Number Generator used in BaseCluster is not safe Created: 19/Apr/17 Updated: 27/Oct/23 Resolved: 20/Apr/17 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Critical - P2 |
| Reporter: | Laurie paul | Assignee: | Unassigned |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Hi, We got the below issue when we ran Veracode testing our code. Insufficient Entropy (CWE ID 331) Class : BaseCluster.java We are using mongo-java-driver-3.4.1.jar As per the issue, it seems standard random number generator has been used when a more secure cryptograpic generator should have been used. Is this a false positive from Veracode and can it be safely ignored. If not, can you please let us know if it can be mitigated in java driver code. Thanks, |
| Comments |
| Comment by Ross Lawley [ 19/Apr/17 ] |
|
Hi lauriep, The use of Random in BaseCluster is acceptable because it is being used to randomly select a server from a pool of servers. In this context the driver does not need a cryptographically secure pseudo-random number generator such as SecureRandom. So I believe it is a false positive from Veracode. For future reference this project is for Java driver bugs or feature requests. The best place for questions regarding MongoDB usage or the Java driver specifics is the mongodb-user mailing list or stackoverflow as you will reach a boarder audience there. If your business requires an answer from MongoDB within a set time frame then we do offer production support. I hope that helps, Ross |