Usage of weak Pseudo-Random Number Generator (PRNG)

• Rule ID: python_lang_weak_random
• Languages: python
• Source: weak_random.yml

Description

The random module in Python generates pseudorandom numbers that are not secure for cryptographic purposes. These numbers can be predicted if the seed is known, posing a risk to the security of applications that use them for generating secrets, tokens, or other security-sensitive elements.

Remediations

• Do use secrets instead of random for generating random numbers in contexts where security is crucial. This ensures the randomness is cryptographically secure and unpredictable.
• Do not use random for generating random numbers in cryptographic applications, including but not limited to key generation, authentication tokens, or security challenges.
• Do not initialize random with predictable seeds, such as timestamps or other easily guessable values, if it is required to use random.

References

• secrets module documentation

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_weak_random

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_weak_random