Product: sonarcloud
Rule: java:S2245
We are getting a Security Hotspot for the use of Apache Commons Lang 3.17.0 RandomStringUtils.secure().randomAlphanumeric(8)
(which fail our build, or failed since I now marked it as Safe
).
The report suggests that Sonar just does not know exactly what is the implementation of the java.util.Random
which is used inside RandomStringUtils.secure().randomAlphanumeric(8)
(and especially the fact that it’s based on java.security.SecureRandom
when using #secure()
, since 3.15.0 from what I understood).
I was wondering if SonarCloud had enough information (like the version of commons-lang3 in use in this module) to identify that RandomStringUtils.secure()
is safe and if it’s something you would consider doing, or if it’s just too complex to assume something like this for a static analyzer.