I’m really against committing this.
It involves flipping from Random to SecureRandom for a bunch of places that do not require or need the security aspects of SecrureRandom. Randomly selecting the next server for load balancing and the redelivery stuff certainly does NOT require the full secure randomness. However, using SecureRandom in theses cases would then start consuming system entropy that could then be needed for cases where it IS required, like cryptography. Without that entropy available, it could severely slow down or hang some of the cryptography cases. The veracode notice explicitely says: > If this random number is used where security is a concern, such as > generating a session key or session identifier which is NOT the case here. Thus, this is not a concern. Dan On Dec 26, 2013, at 7:47 AM, MrLion <g...@git.apache.org> wrote: > GitHub user MrLion opened a pull request: > > https://github.com/apache/camel/pull/80 > > VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID 331) > > During Veracode scan of our application we discover several warnings in > Camel. Please review our fix and apply it if it make sance. > > Quote from Veracode report below: > Insufficient Entropy (CWE ID 331)(7 flaws) > Description > Standard random number generators do not provide a sufficient amount of > entropy when used for security purposes. > Attackers can brute force the output of pseudorandom number generators > such as rand(). > Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of > code. 1 day to fix. > Recommendations > If this random number is used where security is a concern, such as > generating a session key or session identifier, use a trusted cryptographic > random number generator instead. These can be found on the Windows platform > in the > CryptoAPI or in an open source library such as OpenSSL. > > You can merge this pull request into a Git repository by running: > > $ git pull https://github.com/engagepoint/camel patch-ENT-Entropy > > Alternatively you can review and apply these changes as the patch at: > > https://github.com/apache/camel/pull/80.patch > > ---- > commit de7766f2451a7013b54c285f378bf7cbfef1d766 > Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> > Date: 2013-12-20T14:43:55Z > > VERACODE-659: fix of CWE ID 331 insufficient entropy in RandomLoadBalancer > > commit a1920ad74c7f10ce3148482bd7d033b530a3e681 > Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> > Date: 2013-12-20T14:49:43Z > > VERACODE-660: fix of CWE ID 331 insufficient entropy in RedeliveryPolicy > > commit a3ea9952d612a7214815d5ea3c2102fd7819eb6d > Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> > Date: 2013-12-20T14:52:50Z > > VERACODE-663: fix of CWE ID 331 insufficient entropy in > WeightedRandomLoadBalancer > > commit fa7a52fe6ce05a26c3826161fc8c3e42eebb2861 > Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> > Date: 2013-12-20T14:56:10Z > > VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil > > ---- > -- Daniel Kulp dk...@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
