# Use of Insufficiently Random Values (CWE-330)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

- Prevalence: 高 頻繁に悪用される
- Impact: ミディアム レビュー推奨
- Prevention: 文書化済み 1 件の修正例

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When random values are predictable, attackers can guess them and bypass security mechanisms that depend on their unpredictability, such as session tokens, CSRF tokens, or cryptographic nonces.

## Prevention

### Go

Sort slices after collecting keys or values from map iteration

## Warning Signs

- [MEDIUM] Map iteration order in Go is non-deterministic. This code converts a map
to a slice without sorting, which will produce 

## Consequences

- 保護メカニズムの回避
- 権限の取得

## Mitigations

- 暗号学的に安全な乱数生成器を使用する
- セキュリティ目的で時刻ベースや連番の値を使用しない
- 乱数生成に十分なエントロピーを確保する

## Detection

- Total rules: 1
- Languages: go

## Rules by Language

### Go (1 rules)

- **Non-deterministic Map Iteration** [MEDIUM]: Converts map to slice without sorting, producing non-deterministic output.
  - Remediation: Add sorting after collecting keys/values from the map:

```go
// Before (non-deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
return result  // Order varies!

// After (deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
sort.Strings(result)  // Always same order
return result
```

For non-string types, use sort.Slice:
```go
sort.Slice(result, func(i, j int) bool {
    return result[i].Name < result[j].Name
})
```