Audit the random number generation source (rand) GSC-G404

math/rand is much faster for applications that don’t need crypto-level or security-related random data generation. crypto/rand is suited for secure and crypto-ready usage, but it’s slower. But in most cases, crypto/rand is likely to be more suitable, unless the performance is critical but the application's security is not (which is rare).

It is highly recommended to use crypto/rand when needing to be secure with random numbers such as generating session ID in a web application.

• crypto/rand package
• math/rand package

Bad practice

package main

import "math/rand"

func main() {
    bad := rand.Int()
    println(bad)
}

Recommended

package main

import "crypto/rand"

func main() {
    good, _ := rand.Read(nil)
    println(good)
}

References

• OWASP A2:2021
• OWASP A5:2021
• CWE-338