Use of cryptographically weak Pseudo-Random Number Generator (PRNG)
Description
Go's `math/rand` is not meant for use in generating random numbers for any cryptographic or security sensitive context. This includes generating random numbers that could be used in user specific identifiers or where the random number that is generated is considered to be secret.
Examples
Insecure Code
go
import "math/rand"
func main() {
rand.Intn(10)
}Secure Code
go
import "crypto/rand"
func main() {
rand.Intn(10)
}Remediation
Replace all imports of `math/rand` with `crypto/rand`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0779 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | random number generator, crypto |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |