Usage of weak Pseudo-Random Number Generator (PRNG)

• Rule ID: go_gosec_crypto_weak_random
• Languages: go
• Source: weak_random.yml

Description

The math/rand package in Go generates pseudorandom numbers that are not secure for cryptographic purposes. These numbers can be predicted if the seed is known, posing a risk to the security of applications that use them for generating secrets, tokens, or other security-sensitive elements.

Remediations

• Do use crypto/rand instead of math/rand for generating random numbers in contexts where security is crucial. This ensures the randomness is cryptographically secure and unpredictable.
• Do not use math/rand for generating random numbers in cryptographic applications, including but not limited to key generation, authentication tokens, or security challenges.
• Do not initialize math/rand with predictable seeds, such as timestamps or other easily guessable values, if it is required to use math/rand.

References

• crypto/rand package documentation

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_random

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_random