From 900b09327ec48cf07e62aaa920bc295c255b5986 Mon Sep 17 00:00:00 2001
From: Mihai Dragnea <mihai.dragnea@cubicagency.com>
Date: Mon, 8 Apr 2019 15:00:10 +0300
Subject: [PATCH] Fixed a warning reported by Veracode security scan:

"Insufficient Entropy (CWE ID 331)(3 flaws):
Description:
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). If this random number is used where security is a concern, such as generating a session identifier or cryptographic key, use a trusted cryptographic random number generator instead.
Location:
- Color.swift 72
- Color.swift 73
- Color.swift 74"
---
 Cupcake/Color.swift | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/Cupcake/Color.swift b/Cupcake/Color.swift
index 7cf7ada..c465d2e 100644
--- a/Cupcake/Color.swift
+++ b/Cupcake/Color.swift
@@ -69,9 +69,21 @@ public func Color(_ any: Any?) -> UIColor? {
         }
         
         if string == "random" {
-            r = Int(arc4random_uniform(256))
-            g = Int(arc4random_uniform(256))
-            b = Int(arc4random_uniform(256))
+            // generate cryptographically secure random bytes
+            // avoid warnings reported by security scans like Veracode
+            // https://developer.apple.com/documentation/security/1399291-secrandomcopybytes
+            
+            var bytes = [UInt8](repeating: 0, count: 3)
+            let status = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
+            if status == errSecSuccess {
+                r = Int(bytes[0])
+                g = Int(bytes[1])
+                b = Int(bytes[2])
+            } else {
+                r = 0
+                g = 0
+                b = 0
+            }
             
         } else if string.hasPrefix("#") {
             if string.cpk_length() == 4 {