java:S2245 - Identification of Commons Lang `RandomStringUtils.secure()` as safe

Product: sonarcloud
Rule: java:S2245

We are getting a Security Hotspot for the use of Apache Commons Lang 3.17.0 RandomStringUtils.secure().randomAlphanumeric(8) (which fail our build, or failed since I now marked it as Safe).

The report suggests that Sonar just does not know exactly what is the implementation of the java.util.Random which is used inside RandomStringUtils.secure().randomAlphanumeric(8) (and especially the fact that it’s based on java.security.SecureRandom when using #secure(), since 3.15.0 from what I understood).

I was wondering if SonarCloud had enough information (like the version of commons-lang3 in use in this module) to identify that RandomStringUtils.secure() is safe and if it’s something you would consider doing, or if it’s just too complex to assume something like this for a static analyzer.

Hi @tmortagne,

This is indeed the case.
I created a ticket and here it is so you can track progress: [SONARJAVA-5134] - Jira

All the best,

Irina