Use of insecure rand/srand PRNG not suitable for security contexts

Description

The rand() PRNG should not be used in applications intended to be portable when randomness is needed. Instead, the portable random() is recommended. NOTE: For use in cryptographic context, do not use random(). Instead, use libsodium randombytes_random, POSIX getrandom which reads from /dev/urandom, BCryptGenRandom on Windows, RAND_bytes if OpenSSL available, etc.

Rationale

The rand() PRNG should not be used in applications intended to be portable when randomness is needed. Instead, the portable random() is recommended. NOTE: For use in cryptographic context, do not use random(). Instead, use libsodium randombytes_random, POSIX getrandom which reads from /dev/urandom, BCryptGenRandom on Windows, RAND_bytes if OpenSSL available, etc.

The following code illustrates a vulnerable pattern detected by this rule:

	int num;

	// ...

	// VULNERABLE: Use of insecure rand/srand PRNG not suitable for security contexts
	r = rand();
	num = snprintf(id, len, "ID%-d", r);

	// ...
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-330
OWASP Top 10 2021 - A02 : Cryptographic Failures.
https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
CERTC-MSC30-C
CERTC-MSC32-C
CCN-AGREED/DRNG (CCN-STIC 2100, Table 29)