Scala Secure Random Hardcoded Seed Unsafe
Description
This detector identifies Scala code that uses hardcoded seeds with SecureRandom.setSeed() method calls. Using predictable or hardcoded seeds undermines the cryptographic security of SecureRandom, making generated random numbers predictable and potentially exploitable by attackers.
Detection Strategy
• Code must import java.security.SecureRandom, java.security._, or java.security.*
• A method call to 'setSeed' must be present in the code
• The setSeed call must be made on a SecureRandom object instance
• The first argument passed to setSeed must be a hardcoded value (literal number, string, or other compile-time constant)
• All conditions must be met simultaneously for the vulnerability to be reported
Vulnerable code example
import java.security.SecureRandom
class VulnerableSecureRandom {
def unsafeRandom(): Unit = {
val sr = new SecureRandom()
sr.setSeed(123456L) // VULNERABLE: hardcoded seed makes random predictable
val fixedSeed = Array[Byte](1, 2, 3, 4)...✅ Secure code example
import java.security.SecureRandom
class SecureRandomFixed {
def safeRandom(): Unit = {
val sr = new SecureRandom() // SAFE: uses OS entropy for seeding
// Generate random bytes without fixed seeding
val bytes = new Array[Byte](16)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.