java:S2245 - Identification of Commons Lang `RandomStringUtils.secure()` as safe

Product: sonarcloud
Rule: java:S2245

We are getting a Security Hotspot for the use of Apache Commons Lang 3.17.0 RandomStringUtils.secure().randomAlphanumeric(8) (which fail our build, or failed since I now marked it as Safe).

The report suggests that Sonar just does not know exactly what is the implementation of the java.util.Random which is used inside RandomStringUtils.secure().randomAlphanumeric(8) (and especially the fact that it’s based on java.security.SecureRandom when using #secure(), since 3.15.0 from what I understood).

I was wondering if SonarCloud had enough information (like the version of commons-lang3 in use in this module) to identify that RandomStringUtils.secure() is safe and if it’s something you would consider doing, or if it’s just too complex to assume something like this for a static analyzer.

Hi @tmortagne,

This is indeed the case.
I created a ticket and here it is so you can track progress: [SONARJAVA-5134] - Jira

All the best,

Irina

Hello, in what version of sonarqube was this patched? We are still getting the same error on Enterprise Edition v2025.1

Hi @akopric,

Welcome to the community!

Can you provide a code sample?

 
Thx,
Ann

Hello, thank you for the welcome. Sure thing:


Here is a screenshot with the highlighted error. Also this is a spring boot kotlin project with the latest versions of dependencies

Hi,

Thanks for the screenshot. Based on the Jira ticket, this should be fixed in 2025.1, so I’m going to flag this for the language experts.

 
Ann

1 Like

Thanks @akopric for the report!
It looks like the issue was fixed for Java but not Kotlin.
I will open a new ticket.

Here is the ticket for Kotlin: Jira

2 Likes

Thank you Romain! Looking forward for the fix.

1 Like

The ticket for Kotlin is done. The fix should be on SonarQube Cloud soon, and included with the next releases of SonarQube Server/IDE.

1 Like