Rule Definition
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

Remediation
Use random algorithm like SecureRandom instead of Random

Violation Code Sample

/* Sample code 1 */

double value = java.lang.Math.random();
String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.

String user = "Doug";
String fullClassName = this.getClass().getName();
String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.')1"BenchmarkTest".length());
user+= testCaseNumber;

String cookieName = "rememberMe" + testCaseNumber;

javax.servlet.http.Cookie rememberMe = new javax.servlet.http.Cookie(cookieName, rememberMeKey);
rememberMe.setSecure(true);
rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet

request.getSession().setAttribute(cookieName, rememberMeKey);
response.addCookie(rememberMe);

response.getWriter().println(
user + " has been remembered with cookie: " + rememberMe.getName() 
+ " whose value is: " + rememberMe.getValue() + "<br/>"
);

/* Sample code 2 */
// If the cookie is generated using this pattern, it is be set as violation
int randNumber = new java.util.Random().nextInt(99)
Attaching the source code sample file

------------------------------------------
Sample code 3 :

double value = java.lang.Math.random();
String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.

String user = "Doug";
String fullClassName = this.getClass().getName();
String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.')1"BenchmarkTest".length());
user+= testCaseNumber;

String cookieName = "rememberMe" + testCaseNumber;

------------------------------------------
/* Sample code 4 */
new java.util.Random().nextBytes(bytes);
String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true);

String user = "Byron";
String fullClassName = this.getClass().getName();
String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.')1"BenchmarkTest".length());
user+= testCaseNumber;

String cookieName = "rememberMe" + testCaseNumber;
------------------------------------------
/* Sample code */

long l = new java.util.Random().nextLong();
String rememberMeKey = Long.toString(l);
String user = "Logan";
String fullClassName = this.getClass().getName();
String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.')1"BenchmarkTest".length());
user+= testCaseNumber;

String cookieName = "rememberMe" + testCaseNumber;

Fixed Code Sample

SecureRandom sr = new SecureRandom();
sr.setSeed(somevalue);
int value = sr.nextInt(1000);
String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.
String user = "Doug";
String fullClassName = this.getClass().getName();
String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.')1"BenchmarkTest".length());
user+= testCaseNumber;
String cookieName = "rememberMe" + testCaseNumber;
javax.servlet.http.Cookie rememberMe = new javax.servlet.http.Cookie(cookieName, rememberMeKey);
rememberMe.setSecure(true);
// rememberMe.setPath("/benchmark/" + this.getClass().getSimpleName());
rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
request.getSession().setAttribute(cookieName, rememberMeKey);
response.addCookie(rememberMe);
response.getWriter().println(
user + " has been remembered with cookie: " + rememberMe.getName() 
+ " whose value is: " + rememberMe.getValue() + "<br/>"
);

http://cwe.mitre.org/data/definitions/330.html