CWE Rule 336

This issue occurs when you use standard random number generator functions that have deterministic output given a constant seed.

The checker detects this issue with the following random number generator functions:

With constant seeds, random number generator functions produce the same output every time your program is run. A hacker can disrupt your program if they know how your program behaves.

Use a different random standard function or use a nonconstant seed.

Some standard random routines are inherently cryptographically weak, and should not be used for security purposes.

#include <stdlib.h>

void random_num(void)
{
    srand(12345U); //Noncompliant
    /* ... */
}

This example initializes a random number generator using srand with a constant seed. The random number generation is deterministic, making this function cryptographically weak.

One possible correction is to use a random number generator that does not require a seed. This example uses rand_s.

#define _CRT_RAND_S
#include <stdlib.h>
#include <stdio.h>

unsigned int random_num_time(void)
{

    unsigned int number;
    errno_t err;
    err = rand_s(&number);

    if(err != 0)
    {
        return number;
    }
    else
    {
        return err;
    }
}