Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive for G404 (crypto/rand vs math/rand/v2) #1278

Closed
klausman opened this issue Dec 20, 2024 · 3 comments
Closed

False positive for G404 (crypto/rand vs math/rand/v2) #1278

klausman opened this issue Dec 20, 2024 · 3 comments
Labels
bug

Comments

@klausman
Copy link

Summary

I am getting G404 lint warnings despite using math/rand/v2

Steps to reproduce the behavior

Example program:

package main

import (
        "fmt"
        "math/rand/v2"
)

func main() {
        fmt.Println("testing: ", rand.N(1000))
}
$ gosec ./...
[gosec] 2024/12/20 14:24:49 Including rules: default
[gosec] 2024/12/20 14:24:49 Excluding rules: default
[gosec] 2024/12/20 14:24:49 Including analyzers: default
[gosec] 2024/12/20 14:24:49 Excluding analyzers: default
[gosec] 2024/12/20 14:24:49 Import directory: /home/klausman/src/bla
[gosec] 2024/12/20 14:24:49 Checking package: main
[gosec] 2024/12/20 14:24:49 Checking file: /home/klausman/src/bla/main.go
Results:


[/home/klausman/src/bla/main.go:9] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    8: func main() {
  > 9:  fmt.Println("vim-go", rand.N(1000))
    10: }

Autofix:

Summary:
  Gosec  : 2.21.4
  Files  : 1
  Lines  : 10
  Nosec  : 0
  Issues : 1

gosec version

v2.21.4

Go version (output of 'go version')

go version go1.23.4 linux/amd64

Operating system / Environment

Debian testing (trixie)

Expected behavior

No warning G404 when using math/rand/v2

Actual behavior

See above
@klausman klausman changed the title False positive for G404 (crypto/rand vs math/rand/v2 False positive for G404 (crypto/rand vs math/rand/v2) Dec 20, 2024
@ccojocar ccojocar added the bug label Dec 20, 2024
@ccojocar
Copy link
Member

The math/rand/v2 package is not cryptographically secure, this is why you get the warning. You can check the documentation for more details https://pkg.go.dev/math/rand/v2#pkg-overview (See last sentence from Overview section).

@klausman
Copy link
Author

The math/rand/v2 package is not cryptographically secure, this is why you get the warning. You can check the documentation for more details https://pkg.go.dev/math/rand/v2#pkg-overview (See last sentence from Overview section).

It's depressing that crypto/rand is overly hard to use when math/rand/v2 exists. 99+% of the times, using a predictable RNG is fine in my programs, but of course gosec can't know. Is there a project-level way of disabling G404?

@ccojocar
Copy link
Member

It depends how you run gosec. There is an -exclude option where you can provide a list of rules which you want to ignore.

-exclude value
        Comma separated list of rules IDs to exclude. (see rule list)

If you run it via the golangci-lint tool, you can put it in the config file part of your project. https://golangci-lint.run/usage/linters/#gosec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccojocar @klausman