chore(sonar): silence cpp:S2245 PRNG false-positives in DNS jitter sites

Two SonarCloud "weak-cryptography" hotspots flagged uses of mt19937 (DNS_Cache.cpp:117) and rand() (PgSQL_Monitor.cpp:2956). Both are non-cryptographic jitter sources -- one to spread the DNS cache TTL refresh, the other to spread the DNS bookkeeping refresh interval -- with no security boundary touching them. Adding inline NOSONAR annotations with the reasoning so future reviewers (human or bot) don't have to re-derive it.
1 month ago · 6f63499731
parent 742c049959
commit 6f63499731
2 changed files with 3 additions and 1 deletions
--- a/lib/DNS_Cache.cpp
+++ b/lib/DNS_Cache.cpp
@ -114,6 +114,8 @@ void* monitor_dns_resolver_thread(const std::vector<DNS_Resolve_Data*>& dns_reso
 			bool to_update_cache = false;
 			int cache_ttl = dns_resolve_data->ttl;
 			if (dns_resolve_data->ttl > dns_resolve_data->refresh_intv) {
+				// NOSONAR cpp:S2245 — mt19937 used for DNS-cache TTL jitter,
+				// a non-cryptographic timing tweak. No security boundary.
 				thread_local std::mt19937 gen(std::random_device{}());
 				const int jitter = static_cast<int>(dns_resolve_data->ttl * 0.025);
 				std::uniform_int_distribution<int> dis(-jitter, jitter);
--- a/lib/PgSQL_Monitor.cpp
+++ b/lib/PgSQL_Monitor.cpp
@ -2953,7 +2953,7 @@ void* PgSQL_Monitor::monitor_dns_cache() {
 					delay_us *= 40;
 					if (delay_us > 1000000 || delay_us <= 0)
 						delay_us = 10000;
-					delay_us = delay_us + rand() % delay_us;
+					delay_us = delay_us + rand() % delay_us; // NOSONAR cpp:S2245 — non-crypto jitter to spread DNS refresh load; no security boundary.
 				}

 				// Walk the bookkeeper: drop orphans, requeue expired ones, keep