javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes

Community Favorite

semgrep

Author

33,145

Download Count*

LGPL Commons Clause

License

Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: detect-pseudoRandomBytes
    message: Detected usage of crypto.pseudoRandomBytes, which does not produce
      secure random numbers.
    metadata:
      cwe:
        - "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator
          (PRNG)"
      owasp:
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js
      asvs:
        section: "V6: Stored Cryptography Verification Requirements"
        control_id: 6.3.1 Insecure Randomness
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values
        version: "4"
      category: security
      technology:
        - javascript
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern: crypto.pseudoRandomBytes

Examples

detect-pseudoRandomBytes.js

// ok:detect-pseudoRandomBytes
crypto.randomBytes

// ruleid:detect-pseudoRandomBytes
crypto.pseudoRandomBytes

Short Link: https://sg.run/pxze