Audit the random number generation source (rand) GSC-G404
Use of weak random number generator (math/rand instead of crypto/rand)
18func RandFloats(min, max float64, n int) []float64 {
19 res := make([]float64, n)
20 for i := range res {
21 res[i] = min + rand.Float64()*(max-min)22 }
23 return res
24}Use of weak random number generator (math/rand instead of crypto/rand)
9
10func RandomizeSize(minimalSize, maximumSize float64) decimal.Decimal {
11 rand.Seed(time.Now().Unix())
12 x := rand.Float64()*(maximumSize-minimalSize) + minimalSize13 r := decimal.NewFromFloat(x)
14 hundred := decimal.New(100, 1)
15 return r.Mul(hundred).Div(hundred)
Description
math/rand is much faster for applications that don’t need crypto-level or security-related random data generation. crypto/rand is suited for secure and crypto-ready usage, but it’s slower. But in most cases, crypto/rand is likely to be more suitable, unless the performance is critical but the application's security is not (which is rare).
It is highly recommended to use crypto/rand when needing to be secure with random numbers such as generating session ID in a web application.
- crypto/rand package
- math/rand package
Bad practice
package main
import "math/rand"
func main() {
bad := rand.Int()
println(bad)
}
Recommended
package main
import "crypto/rand"
func main() {
good, _ := rand.Read(nil)
println(good)
}