mcp-server-semgrep/semgrep-rules/javascript/lang/security/detect-pseudoRandomBytes.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: detect-pseudoRandomBytes
  message: >-
    Detected usage of crypto.pseudoRandomBytes, which does not produce secure random
    numbers.
  metadata:
    cwe:
    - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
    owasp:
    - A02:2021 - Cryptographic Failures
    source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js
    asvs:
      section: 'V6: Stored Cryptography Verification Requirements'
      control_id: 6.3.1 Insecure Randomness
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values
      version: '4'
    category: security
    technology:
    - javascript
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
    references:
    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
  languages:
  - javascript
  - typescript
  severity: WARNING
  pattern: crypto.pseudoRandomBytes