{ "ruleId": "S011", "name": "Secure GUID Generation", "description": "GUIDs used for security purposes must be generated according to UUID v4 standard with CSPRNG", "category": "security", "severity": "error", "languages": ["All languages"], "tags": [ "security", "owasp", "cryptographic-failures", "uuid", "guid", "randomness" ], "enabled": true, "fixable": false, "engine": "heuristic", "metadata": { "owaspCategory": "A02:2021 - Cryptographic Failures", "cweId": "CWE-338", "description": "Using weak or predictable methods to generate GUIDs/UUIDs for security purposes (session tokens, API keys, reset tokens) can lead to security vulnerabilities. Security-critical GUIDs must be generated using UUID v4 with Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).", "impact": "High - Session hijacking, token prediction, unauthorized access", "likelihood": "Medium", "remediation": "Use UUID v4 with CSPRNG libraries: crypto.randomUUID() (Node.js 14.17+), uuid v4, or equivalent secure random generators" }, "patterns": { "vulnerable": [ "Using Math.random() for GUID generation", "Using Date.now() or timestamp-based GUIDs for security tokens", "Using non-cryptographic UUID libraries", "Using UUID v1 (time-based) for security purposes", "Custom GUID generation without CSPRNG" ], "secure": [ "crypto.randomUUID() for Node.js 14.17+", "uuid v4 library with proper CSPRNG", "crypto.randomBytes() for custom implementation", "Platform-specific secure random: SecureRandom (Java), secrets (Python)" ] }, "examples": { "violations": [ "const sessionId = Math.random().toString(36);", "const token = Date.now() + '-' + Math.random();", "const apiKey = uuidv1(); // Time-based UUID", "const resetToken = generateGuid(); // Custom weak implementation" ], "fixes": [ "const sessionId = crypto.randomUUID();", "const token = require('uuid').v4();", "const apiKey = crypto.randomBytes(32).toString('hex');", "const resetToken = crypto.randomUUID();" ] } }