G404 while using math/rand/v2

[ldemailly]

Summary

fire.go:92:51: G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (gosec)

that's with golanglint-ci, or directly:

[/Users/dl/dev/fortio.org/terminal/fps/fire.go:92] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)

even though I am importing "math/rand/v2"

Steps to reproduce the behavior

I have seen this almost everywhere but for instance

https://github.com/fortio/terminal/blob/58d343f9c7e65b59f2dd37cbf6e15d958e74ba82/brick/brick.go#L89

gosec version

latest from master

Go version (output of 'go version')

go version go1.22.8 darwin/arm64

Operating system / Environment

macOS

Expected behavior

no complaint when using rand/v2

Actual behavior

complaints

[ccojocar]

Yeah, the rule needs some update to handle v2 which is safe.

[ldemailly]

I guess I misread the message, maybe it still wants to use crypto but there are plenty of use case where one just needs a pseudo random and not doing any crypto related work. maybe I should just disable that rule

[ccojocar]

I agree, in that case is better to disable the rule if you intentionally want to use pseudo random values. Also I think is faster than secure random if your use case is not security related.

[ldemailly]

a seperate rule might be though to use v2 instead of v1 but maybe that’s not gosec and more like another regular linter?

[ccojocar]

It sounds to me more like a regular linter.

[ldemailly]

k closing then, thx