Audit the random number generation source (rand) GSC-G404
Use of weak random number generator (math/rand instead of crypto/rand)
458}
459
460func setupBackend(t *testing.T) (*config.ServiceConfig, error) {
461 data := map[string]interface{}{"port": rand.Intn(2000) + 8080}462
463 // param forwarding validation backend
464 b1 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {Use of weak random number generator (math/rand instead of crypto/rand)
468
469// newPort returns random port numbers to avoid port collisions during the tests
470func newPort() int {
471 return 16666 + rand.Intn(40000)472}
Use of weak random number generator (math/rand instead of crypto/rand)
63var random *rand.Rand
64
65func init() {
66 random = rand.New(rand.NewSource(time.Now().UnixNano()))67}
68
69// jitter keeps the +/- 0-33% logic in one place
Description
math/rand is much faster for applications that don’t need crypto-level or security-related random data generation. crypto/rand is suited for secure and crypto-ready usage, but it’s slower. But in most cases, crypto/rand is likely to be more suitable, unless the performance is critical but the application's security is not (which is rare).
It is highly recommended to use crypto/rand when needing to be secure with random numbers such as generating session ID in a web application.
- crypto/rand package
- math/rand package
Bad practice
package main
import "math/rand"
func main() {
bad := rand.Int()
println(bad)
}
Recommended
package main
import "crypto/rand"
func main() {
good, _ := rand.Read(nil)
println(good)
}