G404 while using math/rand/v2 #1241
Labels
Comments
|
Yeah, the rule needs some update to handle v2 which is safe. |
|
I guess I misread the message, maybe it still wants to use crypto but there are plenty of use case where one just needs a pseudo random and not doing any crypto related work. maybe I should just disable that rule |
|
I agree, in that case is better to disable the rule if you intentionally want to use pseudo random values. Also I think is faster than secure random if your use case is not security related. |
|
a seperate rule might be though to use v2 instead of v1 but maybe that’s not gosec and more like another regular linter? |
|
It sounds to me more like a regular linter. |
|
k closing then, thx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
fire.go:92:51: G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (gosec)
that's with golanglint-ci, or directly:
[/Users/dl/dev/fortio.org/terminal/fps/fire.go:92] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
even though I am importing "math/rand/v2"
Steps to reproduce the behavior
I have seen this almost everywhere but for instance
https://github.com/fortio/terminal/blob/58d343f9c7e65b59f2dd37cbf6e15d958e74ba82/brick/brick.go#L89
gosec version
latest from master
Go version (output of 'go version')
go version go1.22.8 darwin/arm64
Operating system / Environment
macOS
Expected behavior
no complaint when using rand/v2
Actual behavior
complaints
The text was updated successfully, but these errors were encountered: