[metadata]
id = "MSC30-C"
type = "rule"
category = "MSC"
number = 30
title = "Do not use the rand() function for generating pseudorandom numbers"
description = """
Pseudorandom number generators use mathematical algorithms to produce a sequence
of numbers with good statistical properties, but the numbers produced are not
genuinely random. The C Standardrand()function makes no guarantees as to the
quality of the random sequence produced. The numbers generated by some
implementations ofrand()have a comparatively short cycle and the numbers can be
predictable. Applications that have strong pseudorandom number requirements must
use a generator that is known to be sufficient for their needs. The following
noncompliant code generates an ID with a numeric part produced by calling
therand()function. The IDs produced are predictable and have limited randomness.
"""
severity = "Medium"
likelihood = "Unlikely"
priority = "P4"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "Aug 31, 2025"
[rules.cert_c.MSC30-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers"
cwe = ["CWE-327", "CWE-330", "CWE-338", "CWE-676"]