No announcement yet.
  • Filter
  • Time
Clear All
new posts

  • [bogus] Cryptographic Issues reported by Veracode

    Following is the issue when the security audit was run over the source code on Smart GWT3.0 version.

    Insufficient Entropy
    Standard random number generators do not provide a sufficient amount of entropy when used for security purposes.
    Attackers can brute force the output of pseudorandom number generators such as rand().
    If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found in an open source library such as OpenSSL.
    Module # Class # Module Location
    com/.../util/ 4626
    com/.../util/ 4723
    com/.../util/ 4724

    Can we have the resolution for this please?

  • #2
    This appears to be a bogus report.

    In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

    If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.