Fix SonarQube Security Issue: Make Sure That Using This Pseudorandom Number Generator Is Safe Here in PHP
First, let’s understand the issue and why security tools report this warning.
Actually, these errors usually appear when we resolve the security and code quality reports generated by tools like Fortify and SonarQube.
Before fixing this issue, let’s understand the tools that report these warnings: Fortify and SonarQube
SonarQube and Fortify are code analysis tools used in software development to identify issues in applications and improve the overall quality and security of the code.
SonarQube :
SonarQube mainly focuses on code quality, maintainability, code smells, bugs, and improving the overall structure of the application.
Fortify :
Fortify focuses more on application security by identifying vulnerabilities, security risks, and compliance-related issues in the code.
In simple terms, SonarQube helps us write cleaner and maintainable code, while Fortify helps us make the application more secure by finding potential security vulnerabilities.
In my case, I was combining the current timestamp (time()) with the output of rand() to generate a NotificationMsg. However, time() is predictable, and rand() uses a pseudo-random number generator, which is not considered a secure random generator.
Because of this, security analysis tools like Fortify and SonarQube may report the issue:
“Make sure that using this pseudorandom number generator is safe here.”
To resolve this security issue, I found two possible solutions:
- Use random_int() function
- random_int() generates cryptographically secure random integers and is suitable when we need secure random values.
- Use random_bytes() function
- random_bytes() is recommended for generating cryptographically secure random data, especially for tokens, reset keys, API keys, and other security-sensitive identifiers.
So, instead of using rand(), we should use secure random functions like random_int() or random_bytes() based on the requirement.
So I have changed function with random_int()
And changed with random_bytes() function
Final Recommendation
My suggestion is: Never use rand() or mt_rand() for security-related values.
This blog explains only one simple example of a random number generator issue, but when you scan a real project using Fortify or SonarQube, you may find many similar security issues related to weak random generation.
The same approach can be applied while fixing those vulnerabilities:
- Identify where weak random functions are used.
- Understand whether the value is security-sensitive or only for general purposes.
- Replace insecure functions with secure alternatives.
Use : random_int()
for secure random numbers like:
- Notification IDs
- OTP values
- Temporary numeric references
Use : random_bytes()
for stronger security requirements like:
- Authentication tokens
- Password reset keys
- API keys
- Secure identifiers
A small change in random number generation can significantly improve application security and help resolve security findings reported by tools like Fortify and SonarQube.
During a security scan of a PHP application, Fortify reported a vulnerability because rand() was used to generate a notificationmsg. After replacing it with random_int(), the security warning was resolved.
