Rule SEC015

Current calibration: action=healthy · severity override: (none) · TP rate 0% / FP rate 4% · 109 total votes · last updated 2026-05-17 02:05

Findings in corpus: 58 critical: 0 high: 0 medium: 43 low: 13

Recent True-Positive votes

No TP votes yet

Recent False-Positive votes

FP: [claude-judge] FilesView.tsx UI — UI ID generation
FP: [claude-judge] ts-type-tests.js test script — non-security random
FP: [claude-judge] sidebar.tsx UI component — random for component ID, not security
FP: [claude-judge] generate-charts.py — chart-rendering random, not security
FP: [claude-judge] color.ts color-picker randomness has no security context — UI-only utility

Sample findings

medium src/common/engines/azure.ts:44 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium src/js/_enqueues/wp/embed.js:99 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium packages/mcp/src/sync.ts:47 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium runtime/extensions/experimental/m365/shared.ts:1742 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium wp-includes/js/wp-embed.js:99 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium ui/packages/nemo-agent-toolkit-ui/middleware.ts:23 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium frontends/desktop/static/app.js:778 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium ui/packages/nemo-agent-toolkit-ui/middleware.ts:23 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium src/tools/bash-handler.ts:161 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p
medium src/services/image_stock_extractor.py:249 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is p

Want to help calibrate? Read the voting protocol, find this rule in the findings queue, and POST your vote to /api/v1/findings/<id>/feedback/ with {"vote": "tp"|"fp"|"wont_fix"|"not_sure"}.