Skip to content

False positive for G404 (crypto/rand vs math/rand/v2) #1278

Closed
@klausman

Description

@klausman

Summary

I am getting G404 lint warnings despite using math/rand/v2

Steps to reproduce the behavior

Example program:

package main

import (
        "fmt"
        "math/rand/v2"
)

func main() {
        fmt.Println("testing: ", rand.N(1000))
}
$ gosec ./...
[gosec] 2024/12/20 14:24:49 Including rules: default
[gosec] 2024/12/20 14:24:49 Excluding rules: default
[gosec] 2024/12/20 14:24:49 Including analyzers: default
[gosec] 2024/12/20 14:24:49 Excluding analyzers: default
[gosec] 2024/12/20 14:24:49 Import directory: /home/klausman/src/bla
[gosec] 2024/12/20 14:24:49 Checking package: main
[gosec] 2024/12/20 14:24:49 Checking file: /home/klausman/src/bla/main.go
Results:


[/home/klausman/src/bla/main.go:9] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    8: func main() {
  > 9:  fmt.Println("vim-go", rand.N(1000))
    10: }

Autofix:

Summary:
  Gosec  : 2.21.4
  Files  : 1
  Lines  : 10
  Nosec  : 0
  Issues : 1

gosec version

v2.21.4

Go version (output of 'go version')

go version go1.23.4 linux/amd64

Operating system / Environment

Debian testing (trixie)

Expected behavior

No warning G404 when using math/rand/v2

Actual behavior

See above

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions