I need to create a temporary file and store some data into it. I have written the following code to do so:

import org.apache.commons.lang.RandomStringUtils;
import java.security.SecureRandom;

[...]

String random = RandomStringUtils.random(10, 0, 0, true, true, null, new SecureRandom());
File tempFile = File.createTempFile("PREFIX-" + random, ".pdf");

[...]

It does work perfectly, but when I submit this code to Veracode, I get an “Insecure Temporary File (CWE ID 377)” error. I thought that using SecureRandom will make the temporary file name impossible to predict by attackers.

What is the right way to generate a temporary file without making Veracode unhappy?

While creating File using CreateTemp file (in lower version java) it will first create a filename with given suffix and prefix and a random number. format--> Prefix+randam number+Suffix. If the generated name already present it just increment the randam number. here comes the issue in algorithum where v can guess what will be the next filename.

The issue is resolved in Java 6. But still if u do Static scan in veracode they will show it as bug since they cause vulnerable issue in java version lower than 6. If you are using higher version then no problem. Just Skip it..

Reference from veracode: https://www.veracode.com/blog/2009/01/how-boring-flaws-become-interesting

I think the issue is resolved in Java 6 Update 11 release. Use latest version of Java.