GO-S1033 · Random number generator seed doesn't have enough entropy

Random number generator seed doesn't have enough entropy GO-S1033

Security

Major

11 days ago — a year old

a02 cwe-336 cwe-337 owasp top 10 cwe-331

Time based seeds have insufficient entropy

 39var _ structs.Provider = &Client{}
 40
 41func init() {
 42	rand.Seed(time.Now().UTC().UnixNano()) 43}
 44
 45func New(endpoint string) (*Client, error) {

Time based seeds have insufficient entropy

provider/k8s/k8s.go

 79}
 80
 81func init() {
 82	rand.Seed(time.Now().Unix()) 83}
 84
 85func FromEnv() (*Provider, error) {

Time based seeds have insufficient entropy

pkg/manifest/manifest.go

 38}
 39
 40func init() {
 41	rand.Seed(time.Now().UnixNano()) 42}
 43
 44func Load(data []byte, env map[string]string) (*Manifest, error) {

Time based seeds have insufficient entropy

pkg/logstorage/logstorage.go

 24type Receiver chan Log
 25
 26func init() {
 27	rand.Seed(time.Now().UTC().UnixNano()) 28}
 29
 30func New() Store {

Description

As math/rand uses a statistical random number generator, using a low entropy seed (such as constants and the current system time) may allow an attacker to predict what the following number generated is.

Bad practice

package main

import (
    "math/rand"
    "time"
)

func main() {
    rand.Seed(42)                // constant seeds are bad
    rand.Seed(time.Now().Unix()) // time based seeds don't have sufficient entropy
}

convox / convox

Bad practice

References