fix(G404): flag missing math/rand weak-random functions (#1694)

Author: StressTestor

rules/rand.go

@@ -30,10 +30,10 @@ func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	rule := &weakRand{newCallListRule(id,
 		"Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)",
 		issue.High, issue.Medium)}
-	rule.AddAll("math/rand", "New", "Read", "Float32", "Float64", "Int", "Int31", "Int31n",
-		"Int63", "Int63n", "Intn", "NormFloat64", "Uint32", "Uint64")
-	rule.AddAll("math/rand/v2", "New", "Float32", "Float64", "Int", "Int32", "Int32N",
-		"Int64", "Int64N", "IntN", "N", "NormFloat64", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN")
+	rule.AddAll("math/rand", "New", "Read", "ExpFloat64", "Float32", "Float64", "Int", "Int31", "Int31n",
+		"Int63", "Int63n", "Intn", "NormFloat64", "Perm", "Shuffle", "Uint32", "Uint64")
+	rule.AddAll("math/rand/v2", "New", "ExpFloat64", "Float32", "Float64", "Int", "Int32", "Int32N",
+		"Int64", "Int64N", "IntN", "N", "NormFloat64", "Perm", "Shuffle", "Uint", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN")
 
 	return rule, []ast.Node{(*ast.CallExpr)(nil)}
 }

testutils/g404_samples.go

@@ -184,4 +184,40 @@ func main() {
 	_ = rand3.IntN(2)  // bad
 }
 `}, 3, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import "math/rand"
+
+func main() {
+	p := rand.Perm(10) // bad
+	println(len(p))
+	f := rand.ExpFloat64() // bad
+	println(f)
+	nums := []int{1, 2, 3}
+	rand.Shuffle(len(nums), func(i, j int) { // bad
+		nums[i], nums[j] = nums[j], nums[i]
+	})
+	println(nums[0])
+}
+`}, 3, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import "math/rand/v2"
+
+func main() {
+	u := rand.Uint() // bad
+	println(u)
+	p := rand.Perm(10) // bad
+	println(len(p))
+	f := rand.ExpFloat64() // bad
+	println(f)
+	nums := []int{1, 2, 3}
+	rand.Shuffle(len(nums), func(i, j int) { // bad
+		nums[i], nums[j] = nums[j], nums[i]
+	})
+	println(nums[0])
+}
+`}, 4, gosec.NewConfig()},
 }