HP Fortify - Insecure Randomness

Question

HP Fortify is flagging swagger-ui.js as insecure, citing Math.random() as "Insecure Randomness". I'm using Swagger UI v2.2.6. Has there been a fix or response for this?&nbsp;Thanks!

hkosova · Answer

Swagger UI v. 2.2.6 is a very old version (from 2016). Try the latest version, 3.32.4.

tlai · Answer

Math.random() is a commonly used function and is present in many popular libraries. SwaggerUI does not generate security sensitive context such as passwords or api keys. Thus, this notice should be a non-issue with regards to SwaggerUI.

faizz_ui · Answer

Version 3.32.4 uses Math.random() as well, which will warrant the HP Fortify warning as well. The code below is from swagger-ui-3.32.4\dist\swagger-ui.js&nbsp;function(e,t){&nbsp;&nbsp;&nbsp;&nbsp;var&nbsp;n=0,r=Math.random();&nbsp;&nbsp;&nbsp;&nbsp;e.exports=function(e)&nbsp;&nbsp;&nbsp;&nbsp;{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return"Symbol(".concat(void&nbsp;0===e?"":e,")_",(++n+r).toString(36))&nbsp;&nbsp;&nbsp;&nbsp;}}

hkosova · Answer

In that case, please open an issue here:
https://github.com/swagger-api/swagger-ui/issues

Forum Discussion

HP Fortify - Insecure Randomness

4 Replies

Related Content

How to set using insecure ssl in SoapUI?

entering random keys

Generate a random number within a range

Random factor calculation for Load Profile= Random

How to generate a random Number, String, AlphaNumeric string

Recent Discussions

'Reset' is not clearing the clientid/client secret from the pop up.

Long shot question from noob

How to disable 500 code by default in swagger 3?

GROUPING CONTROLLERS INTO SEPARATE SWAGGER UI PAGES

oneOf or anyOf for the header schema