Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.random

Avoid seeding SecureRandom with predictable values

`new SecureRandom(byte[])` should not be initialized with literal byte arrays, short fixed buffers, or string-derived seeds.

#Metadata

Rule ID
java.security.predictable-securerandom
Severity
high
Confidence
0.86
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
cryptography, java, random, rules-catalog, security

#Why it matters

A hardcoded or short seed reduces SecureRandom entropy to a guessable space, making downstream tokens, keys, and salts predictable.

#Remediation

Construct `SecureRandom` without arguments to use the system entropy source, or call `SecureRandom.getInstanceStrong()` and `generateSeed` for high-entropy material.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.predictable-securerandom.rule.yaml.

Back to directoryOpen rule in repository