<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:57:22 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-2498] Standard Random Number Generator used in BaseCluster is not safe</title>
                <link>https://jira.mongodb.org/browse/JAVA-2498</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;Hi,&lt;/p&gt;

&lt;p&gt;We got the below issue when we ran Veracode testing our code.&lt;/p&gt;

&lt;p&gt;Insufficient Entropy (CWE ID 331)&lt;/p&gt;

&lt;p&gt;Class :  BaseCluster.java &lt;br/&gt;
line no:  336&lt;/p&gt;

&lt;p&gt;We are using mongo-java-driver-3.4.1.jar&lt;/p&gt;

&lt;p&gt;As per the issue, it seems standard random number generator has been used when a more secure cryptograpic generator should have been used.&lt;/p&gt;

&lt;p&gt;Is this a false positive from Veracode and can it be safely ignored.&lt;/p&gt;

&lt;p&gt;If not, can you please let us know if it can be mitigated in java driver code.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
lauriep&lt;/p&gt;


</description>
                <environment></environment>
        <key id="375401">JAVA-2498</key>
            <summary>Standard Random Number Generator used in BaseCluster is not safe</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="lauriep">Laurie paul</reporter>
                        <labels>
                    </labels>
                <created>Wed, 19 Apr 2017 11:02:18 +0000</created>
                <updated>Fri, 27 Oct 2023 13:21:13 +0000</updated>
                            <resolved>Thu, 20 Apr 2017 08:53:32 +0000</resolved>
                                                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="1552431" author="ross@10gen.com" created="Wed, 19 Apr 2017 12:47:39 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=lauriep&quot; class=&quot;user-hover&quot; rel=&quot;lauriep&quot;&gt;lauriep&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;The use of Random in BaseCluster is acceptable because it is being used to randomly select a server from a pool of servers.  In this context the driver does not need a cryptographically secure pseudo-random number generator such as SecureRandom. So I believe it is a false positive from Veracode.&lt;/p&gt;

&lt;p&gt;For future reference this project is for Java driver bugs or feature requests. The best place for questions regarding MongoDB usage or the Java driver specifics is the &lt;a href=&quot;https://groups.google.com/forum/#!forum/mongodb-user&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongodb-user mailing list&lt;/a&gt; or &lt;a href=&quot;http://stackoverflow.com&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;stackoverflow&lt;/a&gt; as you will reach a boarder audience there.  If your business requires an answer from MongoDB within a set time frame then we do offer &lt;a href=&quot;https://www.mongodb.com/products/production-support&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;production support&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;I hope that helps,&lt;/p&gt;

&lt;p&gt;Ross&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsybkv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>