Usage of insufficient random value

• Rule ID: go_lang_insufficiently_random_values
• Languages: go
• Source: insufficiently_random_values.yml

Description

Your application is at risk when it uses predictable random values, particularly for security-related functions.

Remediations

• Do use a stronger, more secure library for generating random values. This is crucial for enhancing the security of your application.

  import (
    "crypto/rand"
    "encoding/base64"
    "fmt"
  )
  
  func generateSecureToken(length int) (string, error) {
    bytes := make([]byte, length)
    _, err := rand.Read(bytes)
    if err != nil {
      return "", err
    }
  
    // Encode the binary data to a string for easier use
    return base64.URLEncoding.EncodeToString(bytes), nil
  }

References

• Use of Insufficiently Random Values

Associated CWE

• CWE-330: Use of Insufficiently Random Values

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_insufficiently_random_values

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_insufficiently_random_values