Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should issue warning for SecureRandom object created and used only once #1464

Closed
Mary904 opened this issue Mar 12, 2021 · 3 comments · Fixed by #1476
Closed

Should issue warning for SecureRandom object created and used only once #1464

Mary904 opened this issue Mar 12, 2021 · 3 comments · Fixed by #1476

Comments

@Mary904
Copy link

Mary904 commented Mar 12, 2021
edited

I found a false negative when spotbugs-maven-plugin checked the following line in eclipse/jetty.project.

BigInteger serial = BigInteger.valueOf(new SecureRandom().nextLong());

According to the description of DMI: Random object created and used only once (DMI_RANDOM_USED_ONLY_ONCE):

You should strongly consider using a java.security.SecureRandom instead (and avoid allocating a new SecureRandom for each random number needed).

Spotbugs should generate a warning because the code line BigInteger serial = BigInteger.valueOf(new SecureRandom().nextLong()); created and used SecureRandom object only once. As noted in the bug description, it should "avoid allocating a new SecureRandom for each random number". However, in the demo, this is allowed by Spotbugs without giving any warning so I think that this is a false negative.

The plugin version used is as follow:

            <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.1.4</version>
                <configuration>
                    <effort>Default</effort>
                    <threshold>Low</threshold>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>com.github.spotbugs</groupId>
                        <artifactId>spotbugs</artifactId>
                        <version>4.1.4</version>
                    </dependency>
                </dependencies>
            </plugin>

Demo

Here is a small demo that could be used as test case. See #1475

import java.security.SecureRandom;
import java.util.Random;
import edu.umd.cs.findbugs.annotations.ExpectWarning;

public class DMI_RANDOM_USED_ONLY_ONCE {
    @ExpectWarning("DMI_RANDOM_USED_ONLY_ONCE")
    long m1(){
        return new SecureRandom().nextLong();  // This test case will fail now
    }

    @ExpectWarning("DMI_RANDOM_USED_ONLY_ONCE")
    long m2(){
        return new Random().nextLong();  // This will pass
    }
}
@welcome
Copy link

welcome bot commented Mar 12, 2021

Thanks for opening your first issue here! 😃
Please check our contributing guideline. Especially when you report a problem, make sure you share a Minimal, Complete, and Verifiable example to reproduce it in this issue.

@Xiaoven Xiaoven mentioned this issue Mar 12, 2021
Open
@KengoTODA KengoTODA mentioned this issue Mar 25, 2021
Closed
gloNelson pushed a commit to gloNelson/spotbugs that referenced this issue Mar 25, 2021
@cindyoliver-se
upload tests for issue spotbugs#1464
e96d5f9
gloNelson pushed a commit to gloNelson/spotbugs that referenced this issue Mar 25, 2021
@cindyoliver-se
fix spotbugs#1464
8c7d0c9
gloNelson added a commit to gloNelson/spotbugs that referenced this issue Mar 25, 2021
@gloNelson
upload tests for issue spotbugs#1464
08551ab
gloNelson added a commit to gloNelson/spotbugs that referenced this issue Mar 25, 2021
@gloNelson
fix spotbugs#1464
8bb0c3a
@gloNelson gloNelson mentioned this issue Mar 25, 2021
Merged
1 task
KengoTODA pushed a commit that referenced this issue Mar 29, 2021
@gloNelson
Fix #1464, and issue a warning for a SecureRandom new created and use…
f1ee08d 
…d only once (#1476)

* upload tests for issue #1464

* fix #1464

* execute spotbugs-tests:spotlessApply

* extract getClassConstantOperand() to a local variable
gamesh411 pushed a commit to gamesh411/spotbugs that referenced this issue Apr 15, 2021
@gloNelson @gamesh411
Fix spotbugs#1464, and issue a warning for a SecureRandom new created…
ce5e6c6 
… and used only once (spotbugs#1476)

* upload tests for issue spotbugs#1464

* fix spotbugs#1464

* execute spotbugs-tests:spotlessApply

* extract getClassConstantOperand() to a local variable
robinvandenbogaard pushed a commit to robinvandenbogaard/spotbugs that referenced this issue Apr 29, 2021
Add more test cases and fixed issues spotbugs#1464
754db27
@robinvandenbogaard
Copy link

This is generating a lot warnings for valid usages. I've added those to the test case and fixed the condition by adding parenthesis.

robinvandenbogaard pushed a commit to robinvandenbogaard/spotbugs that referenced this issue Apr 29, 2021
Add more test cases and fixed issues spotbugs#1464
6222036
robinvandenbogaard pushed a commit to robinvandenbogaard/spotbugs that referenced this issue Apr 29, 2021
Add more test cases and fixed issues spotbugs#1464
20b6484 
Add more test cases and fixed issues spotbugs#1464
@ptuomola ptuomola mentioned this issue May 5, 2021
Closed
1 task
@hinrik
Copy link

hinrik commented May 5, 2021

With 4.2.3 I'm now seeing false positives because of this change. E.g. this will trigger:

var r = new Random();
var tokenBuilder = new StringBuilder();
for (int i = 0; i < length; i++) {
    var position = r.nextInt(alphabet.length());
    tokenBuilder.append(alphabet.charAt(position));
}

Same for another class where I have a static Random object that gets used in an instance method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #1464, and issue a warning for a SecureRandom new created and used only once gloNelson/spotbugs
3 participants
@hinrik @robinvandenbogaard @Mary904