Cryptographic algorithm violation in vera code report

Question

Using DisgestUils.md5Hex to generate 32 digits random number in java. It's being captured as Violation in veracode report.

Could you please advise how do I generate 32 digits number in java which should not capture in veracode report.

Using a hashing algorithm like "MD5" has nothing to do with "random number". Second: as a (bad) replace you could use SHA-256 as hashing algorithm and truncate the output to the desired length. — Michael Fehr, May 19 '21 at 10:44

score 2 · Answer 1 · answered May 19 '21 at 13:43

While I can't speak for Veracode, you probably want to use an instance of SecureRandom to create random numbers for cryptographic or security token purposes.

To get thirty two hexadecimal characters out of SecureRandom you need sixteen bytes and can then use a StringBuilder to turn those bytes into a String cheaply.

For example:

import java.security.SecureRandom;

...

SecureRandom random = new SecureRandom();
byte[] bytes = new byte[16];
random.nextBytes(bytes);

StringBuilder builder = new StringBuilder();
for (byte b : bytes) {
  String hex = Integer.toHexString(b & 0xff);
  if (hex.length() == 1) {
    builder.append('0');
  }
  builder.append(hex);
}

String token = builder.toString();

Cryptographic algorithm violation in vera code report

1 Answers1