Go Back   SmartClient Forums > Smart GWT Technical Q&A
Wiki Register Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread
  #1  
Old 9th Sep 2012, 21:34
raghunandan raghunandan is offline
Registered Developer
 
Join Date: Sep 2012
Posts: 11
Default [bogus] Cryptographic Issues reported by Veracode

Following is the issue when the security audit was run over the source code on Smart GWT3.0 version.

Insufficient Entropy
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such as rand().
Recommendations
If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found in an open source library such as OpenSSL.
Module # Class # Module Location
com/.../util/DataTools.java 4626
com/.../util/DataTools.java 4723
com/.../util/DataTools.java 4724

Can we have the resolution for this please?
Reply With Quote
  #2  
Old 10th Sep 2012, 11:39
Isomorphic Isomorphic is online now
Administrator
 
Join Date: May 2006
Posts: 37,053
Default

This appears to be a bogus report.

In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
[bogus] Cross-Site Scripting bugs reported by Veracode raghunandan Smart GWT Technical Q&A 5 21st Jan 2013 18:44
[bogus] SQL Injection bug reported by VeraCode raghunandan Smart GWT Technical Q&A 6 18th Sep 2012 08:11
[bogus] Information Exposure Through an Error Message reported by Veracode raghunandan Smart GWT Technical Q&A 1 10th Sep 2012 11:43
[bogus] Directory Traversal bug reported by Veracode raghunandan Smart GWT Technical Q&A 1 10th Sep 2012 11:41
[bogus] Session Fixation bug reported by Veracode raghunandan Smart GWT Technical Q&A 1 10th Sep 2012 11:41

© 2010,2011 Isomorphic Software. All Rights Reserved