Closed
Description
Summary
I am getting G404 lint warnings despite using math/rand/v2
Steps to reproduce the behavior
Example program:
package main
import (
"fmt"
"math/rand/v2"
)
func main() {
fmt.Println("testing: ", rand.N(1000))
}$ gosec ./...
[gosec] 2024/12/20 14:24:49 Including rules: default
[gosec] 2024/12/20 14:24:49 Excluding rules: default
[gosec] 2024/12/20 14:24:49 Including analyzers: default
[gosec] 2024/12/20 14:24:49 Excluding analyzers: default
[gosec] 2024/12/20 14:24:49 Import directory: /home/klausman/src/bla
[gosec] 2024/12/20 14:24:49 Checking package: main
[gosec] 2024/12/20 14:24:49 Checking file: /home/klausman/src/bla/main.go
Results:
[/home/klausman/src/bla/main.go:9] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
8: func main() {
> 9: fmt.Println("vim-go", rand.N(1000))
10: }
Autofix:
Summary:
Gosec : 2.21.4
Files : 1
Lines : 10
Nosec : 0
Issues : 1
gosec version
v2.21.4
Go version (output of 'go version')
go version go1.23.4 linux/amd64
Operating system / Environment
Debian testing (trixie)
Expected behavior
No warning G404 when using math/rand/v2
Actual behavior
See above