rules/sdk: G702: Blocklisted import crypto/rand should not flag for crypto related code #63
Assignees
Comments
odeke-em
added a commit
that referenced
this issue
Oct 23, 2022
Adds an allowList so that types and methods that don't need an error check. That reduces false positives. Fixes #63
odeke-em
added a commit
that referenced
this issue
Oct 23, 2022
…t permits Adds an allowList so that types and methods that don't need an error check. That reduces false positives. Fixes #63
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've seen a bunch of reports like this
[/go/src/github.com/cosmos/cosmos-sdk/crypto/xsalsa20symmetric/symmetric.go:4] - G702 (CWE-): Blocklisted import crypto/rand (Confidence: HIGH, Severity: MEDIUM) 3: import ( > 4: "crypto/rand" 5: "errors" [/go/src/github.com/cosmos/cosmos-sdk/crypto/keys/internal/ecdsa/privkey.go:6] - G702 (CWE-): Blocklisted import crypto/rand (Confidence: HIGH, Severity: MEDIUM) 5: "crypto/elliptic" > 6: "crypto/rand" 7: "crypto/sha256" [/go/src/github.com/cosmos/cosmos-sdk/crypto/keys/internal/benchmarking/bench.go:4] - G702 (CWE-): Blocklisted import crypto/rand (Confidence: HIGH, Severity: MEDIUM) 3: import ( > 4: "crypto/rand" 5: "io"but really cryptographic code needs RNGs from crypto/rand so as to perform its duties, hence we should exempt code in such files or packages from these false positives
The text was updated successfully, but these errors were encountered: