feat(golang): add cwe 330

rules/go/lang/insufficiently_random_values.yml

@@ -0,0 +1,56 @@
+patterns:
+  - pattern: |
+      $<MATH>.Seed()
+    filters:
+      - variable: MATH
+        detection: go_lang_insufficiently_random_values_init
+        scope: cursor
+auxiliary:
+  - id: go_lang_insufficiently_random_values_init
+    patterns:
+      - import $<!>"math/rand"
+      - |
+        import (
+          $<!>"math/rand"
+        )
+languages:
+  - go
+metadata:
+  description: "Usage of insufficient random value"
+  remediation_message: |
+    ## Description
+
+    Using predictable random values makes our application vulnerable to attacks,
+    especially if these values are used for security purposes.
+
+    ## Remediations
+
+    ✅ Use a stronger library when generating random values
+
+    ```go
+    import (
+      "crypto/rand"
+      "encoding/base64"
+      "fmt"
+    )
+
+    func generateSecureToken(length int) (string, error) {
+      bytes := make([]byte, length)
+      _, err := rand.Read(bytes)
+      if err != nil {
+        return "", err
+      }
+
+      // Encode the binary data to a string for easier use
+      return base64.URLEncoding.EncodeToString(bytes), nil
+    }
+    ```
+
+    ## Resources
+
+    [Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html)
+
+  cwe_id:
+    - 330
+  id: go_lang_insufficiently_random_values
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_insufficiently_random_values

tests/go/lang/insufficiently_random_values/test.js

@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("insufficiently_random_values", () => {
+    const testCase = "main.go"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})

tests/go/lang/insufficiently_random_values/testdata/main.go

@@ -0,0 +1,42 @@
+// Use of bearer:expected go_lang_insufficiently_random_values to flag expected findings
+
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"time"
+
+	crypto "crypto/rand"
+)
+
+func generateSecureToken(length int) (string, error) {
+	bytes := make([]byte, length)
+	_, err := crypto.Read(bytes)
+	if err != nil {
+		return "", err // Don't ignore errors!
+	}
+
+	// Encode the binary data to a string for easier use
+	return base64.URLEncoding.EncodeToString(bytes), nil
+}
+
+func generateToken() string {
+	// Seed the random number generator with the current time
+	// bearer:expected go_lang_insufficiently_random_values
+	rand.Seed(time.Now().UnixNano())
+
+	// Generate a token using a non-cryptographically secure random generator
+	token := ""
+	for i := 0; i < 10; i++ {
+		token += string(rand.Intn(26) + 'a')
+	}
+	return token
+}
+
+func main() {
+	// Generate and print a "random" token
+	fmt.Println("Generated Token:", generateToken())
+	fmt.Println("Generated Secure Token:", generateSecureToken())
+}