소나 큐브에 bug로 딱 하나 있었는데 그게 이 내용이다.
메서드가 호출될 때마다 Random() 객채를 생성하는 것은 비효율적이고 상수처럼 한번만 new 해놓고 가져다 쓰는 게 좋을 것 같다.
Creating a new Random object each time a random value is needed is inefficient and may produce numbers which are not random depending on the JDK. For better efficiency and randomness, create a single Random, then store, and reuse it.
The Random() constructor tries to set the seed with a distinct value every time. However there is no guarantee that the seed will be random or even uniformly distributed. Some JDK will use the current time as seed, which makes the generated numbers not random at all.
This rule finds cases where a new Random is created each time a method is invoked and assigned to a local random variable.
Noncompliant Code Example
public void doSomethingCommon() {
Random rand = new Random(); // Noncompliant; new instance created with each invocation
int rValue = rand.nextInt();
//...
Compliant Solution
private Random rand = SecureRandom.getInstanceStrong(); // SecureRandom is preferred to Random
public void doSomethingCommon() {
int rValue = this.rand.nextInt();
//...
Exceptions
A class which uses a Random in its constructor or in a static main function and nowhere else will be ignored by this rule.
See
- OWASP Top 10 2017 Category A6 - Security Misconfiguration
'버그리포트' 카테고리의 다른 글
| [버그 리포트] SonarQube - 인증 코드(비밀번호) 생성 시 Random 말고 SecureRandom을 쓰자! (0) | 2024.05.07 |
|---|---|
| [버그 리포트] access token 재발급 무한 요청 문제 (0) | 2024.05.07 |
| [SonarQube 06] JUnit 5에서는 Test class에 접근제한자 붙이지 말기 (0) | 2023.04.27 |
| [SonarQube 05] 길이가 늘어나는 문자열은 String 대신 StringBuilder를 쓰자. (0) | 2023.03.26 |