[JAVA-2498] Standard Random Number Generator used in BaseCluster is not safe Created: 19/Apr/17  Updated: 27/Oct/23  Resolved: 20/Apr/17

Status: Closed
Project: Java Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Critical - P2
Reporter: Laurie paul Assignee: Unassigned
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Hi,

We got the below issue when we ran Veracode testing our code.

Insufficient Entropy (CWE ID 331)

Class : BaseCluster.java
line no: 336

We are using mongo-java-driver-3.4.1.jar

As per the issue, it seems standard random number generator has been used when a more secure cryptograpic generator should have been used.

Is this a false positive from Veracode and can it be safely ignored.

If not, can you please let us know if it can be mitigated in java driver code.

Thanks,
lauriep



 Comments   
Comment by Ross Lawley [ 19/Apr/17 ]

Hi lauriep,

The use of Random in BaseCluster is acceptable because it is being used to randomly select a server from a pool of servers. In this context the driver does not need a cryptographically secure pseudo-random number generator such as SecureRandom. So I believe it is a false positive from Veracode.

For future reference this project is for Java driver bugs or feature requests. The best place for questions regarding MongoDB usage or the Java driver specifics is the mongodb-user mailing list or stackoverflow as you will reach a boarder audience there. If your business requires an answer from MongoDB within a set time frame then we do offer production support.

I hope that helps,

Ross

Generated at Thu Feb 08 08:57:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.