False positive for G404 (crypto/rand vs math/rand/v2)

[klausman]

Summary

I am getting G404 lint warnings despite using math/rand/v2

Steps to reproduce the behavior

Example program:

package main

import (
        "fmt"
        "math/rand/v2"
)

func main() {
        fmt.Println("testing: ", rand.N(1000))
}

$ gosec ./...
[gosec] 2024/12/20 14:24:49 Including rules: default
[gosec] 2024/12/20 14:24:49 Excluding rules: default
[gosec] 2024/12/20 14:24:49 Including analyzers: default
[gosec] 2024/12/20 14:24:49 Excluding analyzers: default
[gosec] 2024/12/20 14:24:49 Import directory: /home/klausman/src/bla
[gosec] 2024/12/20 14:24:49 Checking package: main
[gosec] 2024/12/20 14:24:49 Checking file: /home/klausman/src/bla/main.go
Results:


[/home/klausman/src/bla/main.go:9] - G404 (CWE-338): Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    8: func main() {
  > 9:  fmt.Println("vim-go", rand.N(1000))
    10: }

Autofix:

Summary:
  Gosec  : 2.21.4
  Files  : 1
  Lines  : 10
  Nosec  : 0
  Issues : 1

gosec version

v2.21.4

Go version (output of 'go version')

go version go1.23.4 linux/amd64

Operating system / Environment

Debian testing (trixie)

Expected behavior

No warning G404 when using math/rand/v2

Actual behavior

See above