ajinabraham.njsscan.crypto_node.node_insecure_random_generator

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_insecure_random_generator
    patterns:
      - pattern-either:
          - pattern: |
              $X.pseudoRandomBytes(...)
          - pattern: |
              Math.random(...)
    message: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak
      random number generator.
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp-web: a9
      cwe: cwe-327
      license: LGPL-3.0-or-later