Annotate gosec rand generator warning for false positive

gosec tool flags math/rand, but using math/rand is okay as long as the random number does not have to be cyrptographically secure. In this case, the random numbers are not used as a secret for crytpo purposes so using math/rand is okay.
openservicemesh · Oct 15, 2020 · f925052 · f925052
1 parent c9393ef
commit f925052
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/demo/cmd/bookstore/bookstore.go b/demo/cmd/bookstore/bookstore.go
@@ -109,7 +109,7 @@ func sellBook(w http.ResponseWriter, r *http.Request) {
 	// Slow down the responses artificially.
 	maxNoiseMilliseconds := 750
 	minNoiseMilliseconds := 150
-	intNoise := rand.Intn(maxNoiseMilliseconds-minNoiseMilliseconds) + minNoiseMilliseconds
+	intNoise := rand.Intn(maxNoiseMilliseconds-minNoiseMilliseconds) + minNoiseMilliseconds // #nosec G404
 	pretendToBeBusy := time.Duration(intNoise) * time.Millisecond
 	log.Info().Msgf("Sleeping %+v", pretendToBeBusy)
 	time.Sleep(pretendToBeBusy)

diff --git a/demo/cmd/common/books.go b/demo/cmd/common/books.go
@@ -147,7 +147,7 @@ func GetBooks(participantName string, meshExpectedResponseCode int, booksCount *
 
 			// Create random URLs to test egress
 			if fetchURL == httpPrefix || fetchURL == httpsPrefix {
-				index := rand.Intn(len(egressURLs))
+				index := rand.Intn(len(egressURLs)) // #nosec G404
 				fetchURL = fmt.Sprintf("%s%s", url, egressURLs[index])
 			}
 

diff --git a/pkg/certificate/rotor/rotor.go b/pkg/certificate/rotor/rotor.go
@@ -72,7 +72,8 @@ func ShouldRotate(cert certificate.Certificater) bool {
 	// We want to renew earlier. How much earlier is defined in renewBeforeCertExpires.
 	// We add a few seconds noise to the early renew period so that certificates that may have been
 	// created at the same time are not renewed at the exact same time.
-	intNoise := rand.Intn(maxNoiseSeconds-minNoiseSeconds) + minNoiseSeconds
+
+	intNoise := rand.Intn(maxNoiseSeconds-minNoiseSeconds) + minNoiseSeconds /* #nosec G404 */
 	secondsNoise := time.Duration(intNoise) * time.Second
 	return time.Until(cert.GetExpiration()) <= (renewBeforeCertExpires + secondsNoise)
 }
diff --git a/pkg/debugger/envoy.go b/pkg/debugger/envoy.go
@@ -16,6 +16,8 @@ func (ds debugServer) getEnvoyConfig(pod *v1.Pod, cn certificate.CommonName, url
 
 	minPort := 16000
 	maxPort := 18000
+
+	// #nosec G404
 	portFwdRequest := portForward{
 		Pod:       pod,
 		LocalPort: rand.Intn(maxPort-minPort) + minPort,