[bogus] Cryptographic Issues reported by Veracode
Following is the issue when the security audit was run over the source code on Smart GWT3.0 version.
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such as rand().
If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found in an open source library such as OpenSSL.
Module # Class # Module Location
Can we have the resolution for this please?
This appears to be a bogus report.
In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).
If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.
|Thread Tools||Search this Thread|
|Thread||Thread Starter||Forum||Replies||Last Post|
|[bogus] Cross-Site Scripting bugs reported by Veracode||raghunandan||Smart GWT Technical Q&A||5||21st Jan 2013 19:44|
|[bogus] SQL Injection bug reported by VeraCode||raghunandan||Smart GWT Technical Q&A||6||18th Sep 2012 09:11|
|[bogus] Information Exposure Through an Error Message reported by Veracode||raghunandan||Smart GWT Technical Q&A||1||10th Sep 2012 12:43|
|[bogus] Directory Traversal bug reported by Veracode||raghunandan||Smart GWT Technical Q&A||1||10th Sep 2012 12:41|
|[bogus] Session Fixation bug reported by Veracode||raghunandan||Smart GWT Technical Q&A||1||10th Sep 2012 12:41|