javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes
Community Favorite
semgrep
Author
33,145
Download Count*
License
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
Run Locally
Run in CI
Defintion
rules:
- id: detect-pseudoRandomBytes
message: Detected usage of crypto.pseudoRandomBytes, which does not produce
secure random numbers.
metadata:
cwe:
- "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)"
owasp:
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js
asvs:
section: "V6: Stored Cryptography Verification Requirements"
control_id: 6.3.1 Insecure Randomness
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values
version: "4"
category: security
technology:
- javascript
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- javascript
- typescript
severity: WARNING
pattern: crypto.pseudoRandomBytes
Examples
detect-pseudoRandomBytes.js
// ok:detect-pseudoRandomBytes
crypto.randomBytes
// ruleid:detect-pseudoRandomBytes
crypto.pseudoRandomBytes
Short Link: https://sg.run/pxze