Introduced protections against predictable RNG abuse

[pixeeai]

This change replaces all new instances of java.util.Random with the marginally slower, but much more secure java.security.SecureRandom.

We have to work pretty hard to get computers to generate genuinely unguessable random bits. The java.util.Random type uses a method of pseudo-random number generation that unfortunately emits fairly predictable numbers.

If the numbers it emits are predictable, then it's obviously not safe to use in cryptographic operations, file name creation, token construction, password generation, and anything else that's related to security. In fact, it may affect security even if it's not directly obvious.

Switching to a more secure version is simple and our changes all look something like this:

- Random r = new Random();
+ Random r = new java.security.SecureRandom();

More reading

• https://owasp.org/www-community/vulnerabilities/Insecure_Randomness
• https://metebalci.com/blog/everything-about-javas-securerandom/
• https://cwe.mitre.org/data/definitions/330.html

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:java/secure-random

Can this PR be safely reverted and rolled back?

• YES 💚
• NO ❌

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ pixeeai
❌ pixeebot[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[pixeeai]

@sherifnada I have signed the CLA for our developer account @pixeeai. How may we go about signing the CLA for our bot account @pixeebot?