The report suggests that Sonar just does not know exactly what is the implementation of the java.util.Random which is used inside RandomStringUtils.secure().randomAlphanumeric(8) (and especially the fact that it’s based on java.security.SecureRandom when using #secure(), since 3.15.0 from what I understood).
I was wondering if SonarCloud had enough information (like the version of commons-lang3 in use in this module) to identify that RandomStringUtils.secure() is safe and if it’s something you would consider doing, or if it’s just too complex to assume something like this for a static analyzer.