From e49928c791bf5d1ecf2880048a756d4050f06dac Mon Sep 17 00:00:00 2001
From: StressTestor <212606152+StressTestor@users.noreply.github.com>
Date: Fri, 12 Jun 2026 15:32:39 -0600
Subject: [PATCH] fix(G404): flag missing math/rand weak-random functions

---
 rules/rand.go             |  8 ++++----
 testutils/g404_samples.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/rules/rand.go b/rules/rand.go
index a1d3508a01..e41969f76c 100644
--- a/rules/rand.go
+++ b/rules/rand.go
@@ -30,10 +30,10 @@ func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	rule := &weakRand{newCallListRule(id,
 		"Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)",
 		issue.High, issue.Medium)}
-	rule.AddAll("math/rand", "New", "Read", "Float32", "Float64", "Int", "Int31", "Int31n",
-		"Int63", "Int63n", "Intn", "NormFloat64", "Uint32", "Uint64")
-	rule.AddAll("math/rand/v2", "New", "Float32", "Float64", "Int", "Int32", "Int32N",
-		"Int64", "Int64N", "IntN", "N", "NormFloat64", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN")
+	rule.AddAll("math/rand", "New", "Read", "ExpFloat64", "Float32", "Float64", "Int", "Int31", "Int31n",
+		"Int63", "Int63n", "Intn", "NormFloat64", "Perm", "Shuffle", "Uint32", "Uint64")
+	rule.AddAll("math/rand/v2", "New", "ExpFloat64", "Float32", "Float64", "Int", "Int32", "Int32N",
+		"Int64", "Int64N", "IntN", "N", "NormFloat64", "Perm", "Shuffle", "Uint", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN")
 
 	return rule, []ast.Node{(*ast.CallExpr)(nil)}
 }
diff --git a/testutils/g404_samples.go b/testutils/g404_samples.go
index 72e103489a..b80dbd941d 100644
--- a/testutils/g404_samples.go
+++ b/testutils/g404_samples.go
@@ -184,4 +184,40 @@ func main() {
 	_ = rand3.IntN(2)  // bad
 }
 `}, 3, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import "math/rand"
+
+func main() {
+	p := rand.Perm(10) // bad
+	println(len(p))
+	f := rand.ExpFloat64() // bad
+	println(f)
+	nums := []int{1, 2, 3}
+	rand.Shuffle(len(nums), func(i, j int) { // bad
+		nums[i], nums[j] = nums[j], nums[i]
+	})
+	println(nums[0])
+}
+`}, 3, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import "math/rand/v2"
+
+func main() {
+	u := rand.Uint() // bad
+	println(u)
+	p := rand.Perm(10) // bad
+	println(len(p))
+	f := rand.ExpFloat64() // bad
+	println(f)
+	nums := []int{1, 2, 3}
+	rand.Shuffle(len(nums), func(i, j int) { // bad
+		nums[i], nums[j] = nums[j], nums[i]
+	})
+	println(nums[0])
+}
+`}, 4, gosec.NewConfig()},
 }