DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
C & C++

C & C++

Made by DeepSource
Use Analyzer

Avoid rand() and std::rand() for generating pseudorandom numbers CXX-W2016

Bug risk
Major

The C Standard pseudorandom number generator function rand() has limitations. While these generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, they are not genuinely random. Instead, they rely on a seed value to generate a sequence of numbers that appears random, but is actually deterministic.

The problem with using the C Standard function rand() is that it makes no guarantees about the quality of the random sequence produced. The function have a comparatively short cycle, which means that the sequence of numbers generated will eventually repeat.

Moreover, the generated numbers may be predictable, making them unsuitable for applications that require high-quality pseudorandom numbers.

This also applies to the std::rand() from C++ standard library.

It is recommended to choose a generator that is sufficient for the specific needs of the application.

Bad practice

#include <cstdlib>
#include <string>

std::string getNewIssueId() {
  std::string IssueId("ISSUE-");

  // Holds the ID, starting with the characters "ISSUE" followed by a random
  // integer in the range [0-100000].
  IssueId += std::to_string(std::rand() % 100000);

  return IssueId;
}

Recommended

#include <random>
#include <string>

std::string getNewIssueId() {
  std::string IssueId("ISSUE-");

  std::uniform_int_distribution<int> Dist(0, 100000);
  std::random_device RandDev;
  std::mt19937 Engine(RandDev());
  id += std::to_string(Dist(Engine));

  return IssueId;
}

References