The RNG used on Throttler.java has Insufficient Entropy

[lucasgomes-eti]

Describe the bug We performed an analysis on our code with Veracode and detected that the Random used on Throttler class doesn't have enough entropy, see the detailed report below:

CWE 331 Insufficient Entropy Flaw Category: Cryptographic Issues Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().

Attack Vector: java.util.Random.nextLong Location: com/launchdarkly/sdk/android/Throttler.java 94 and com/launchdarkly/sdk/android/Throttler.java 88

Expected behavior Use a trusted cryptographic random number generator instead.

SDK version 3.0.0

OS/platform Android 10

[louis-launchdarkly]

Hello @lucasgomes-eti, thank you for reaching out. The file in question does not use Random for any cryptographic behavior, instead, we are using that to throttle our retry to mitigate the thundering herd problem when multiple clients retry at the same time.

If you don't mind, can you tell me what is the intention and goal for your use of Veracode? And also, if you get a false positive from the tool, what is your approach to that? That may give us a hint on how to avoid scanner flagging this going forward.

[lucasgomes-eti]

Hey @louis-launchdarkly, thank you for the clarification, the Veracode scan is required by our client (and managed by them), as far as the process to point out a false negative goes I really don't have access to it, so for me is just open a ticket to someone else, but I know that no change in the code is required so they probably close the issue directly on the Veracode platform.