Adding Membership.GeneratePassword() as a bad source of random data because of the bias.

Author: raulgarciamsft

csharp/ql/src/Security Features/InsecureRandomness.cs

@@ -15,7 +15,7 @@ string GeneratePassword()
         password = "mypassword" + BitConverter.ToInt32(randomBytes);
     }
 
-    // GOOD: Password is generated using a cryptographically secure RNG
+    // BAD: Membership.GeneratePassword is generates a password with a bias
     password = Membership.GeneratePassword(12, 3);
 
     return password;

csharp/ql/src/Security Features/InsecureRandomness.ql

@@ -59,6 +59,12 @@ module Random {
       this.getExpr() =
         any(MethodCall mc |
           mc.getQualifier().getType().(RefType).hasQualifiedName("System", "Random")
+          or
+          // by using `% 87` on a `byte`, this function has a bias
+          mc.getQualifier()
+              .getType()
+              .(RefType)
+              .hasQualifiedName("System.Web.Security", "GeneratePassword")
         )
     }
   }