Use of non-cryptographic random number generator in security context

Description

Use of non-cryptographic random number generator in security-sensitive function '$FN_NAME'. The RNG used is not suitable for cryptographic purposes such as key generation, nonces, or tokens. Use rand::rngs::OsRng, rand::rng(), getrandom, or ring::rand::SystemRandom for security- sensitive random number generation.

Rationale

Use of non-cryptographic random number generator in security-sensitive function '$FN_NAME'. The RNG used is not suitable for cryptographic purposes such as key generation, nonces, or tokens. Use rand::rngs::OsRng, rand::rng(), getrandom, or ring::rand::SystemRandom for security- sensitive random number generation.

The following code illustrates a vulnerable pattern detected by this rule:

fn generate_secret_key_smallrng() {
    // VULNERABLE: Use of non-cryptographic random number generator in security context
    let mut rng = SmallRng::from_entropy();
    let key: [u8; 32] = rand::Rng::gen(&mut rng);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

Use of non-cryptographic random number generator in security context

Description

Rationale

Remediation

Configuration

References