cancel
Showing results for 
Search instead for 
Did you mean: 

HP Fortify - Insecure Randomness

Highlighted
New Contributor

HP Fortify - Insecure Randomness

HP Fortify is flagging swagger-ui.js as insecure, citing Math.random() as "Insecure Randomness". I'm using Swagger UI v2.2.6. Has there been a fix or response for this?

 

Thanks!

4 REPLIES 4
Highlighted
Moderator

Re: HP Fortify - Insecure Randomness

Swagger UI v. 2.2.6 is a very old version (from 2016). Try the latest version, 3.32.4.


Helen Kosova
SmartBear Documentation Team Lead
________________________
Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
Highlighted
New Contributor

Re: HP Fortify - Insecure Randomness

Version 3.32.4 uses Math.random() as well, which will warrant the HP Fortify warning as well. The code below is from swagger-ui-3.32.4\dist\swagger-ui.js

 

function(e,t)
{
    var n=0,r=Math.random();
    e.exports=function(e)
    {
        return"Symbol(".concat(void 0===e?"":e,")_",(++n+r).toString(36))
    }
}
Highlighted
Moderator

Re: HP Fortify - Insecure Randomness

In that case, please open an issue here:

https://github.com/swagger-api/swagger-ui/issues


Helen Kosova
SmartBear Documentation Team Lead
________________________
Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
Highlighted
Staff

Re: HP Fortify - Insecure Randomness

Math.random() is a commonly used function and is present in many popular libraries. SwaggerUI does not generate security sensitive context such as passwords or api keys. Thus, this notice should be a non-issue with regards to SwaggerUI.

New Here?
Join us and watch the welcome video:
Announcements
Top Kudoed Authors