Skip to content

New Rules Proposal: Detect usage of SHA1PRNG in java. #3707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

New Rules Proposal: Detect usage of SHA1PRNG in java. #3707

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3354c7d
Add files via upload
righettod Oct 30, 2025
f5973df
Fix reco
righettod Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions java/lang/security/audit/crypto/use-of-sha1prng.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package com.test;

import java.security.SecureRandom

public class Cases {

public void case1(String param, long x) {
//ruleid: use-of-sha1prng
SecureRandom sr0 = SecureRandom.getInstance("SHA1PRNG")
}

public void case2(String param, long x) {
//ok: use-of-sha1prng
SecureRandom sr1 = SecureRandom.getInstance("NativePRNG");
//ok: use-of-sha1prng
SecureRandom sr2 = new SecureRandom();
//ok: use-of-sha1prng
SecureRandom sr3 = SecureRandom.getInstanceStrong();
}
}
31 changes: 31 additions & 0 deletions java/lang/security/audit/crypto/use-of-sha1prng.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
rules:
- id: use-of-sha1prng
languages:
- java
severity: WARNING
message: Detected usage of SHA1PRNG, a pseudo random number generator algorithm which is considered insecure.
pattern: SecureRandom.getInstance("SHA1PRNG")
fix: On Java 8- use 'SecureRandom.getInstanceStrong()' and on Java 9+ use 'new SecureRandom()' to obtain a secure random instance using a pseudo random number generator algorithm suited for security related processing.
paths:
include:
- "**/*.java"
metadata:
category: security
owasp:
- A02:2021 Cryptographic Failures
technology:
- java
references:
- https://precli.readthedocs.io/0.5.9/rules/java/stdlib/java-security-weak-random/
- https://thesecurityvault.com/weak-random/
- https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html
- https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html#securerandom-number-generation-algorithms
- https://github.com/OWASP/mastg/issues/1685
- https://metebalci.com/blog/everything-about-javas-securerandom/
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
likelihood: LOW
impact: LOW
confidence: LOW
subcategory:
- audit