# Use of Insufficiently Random Values (CWE-330)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 1개의 수정 예시

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When random values are predictable, attackers can guess them and bypass security mechanisms that depend on their unpredictability, such as session tokens, CSRF tokens, or cryptographic nonces.

## Prevention

### Go

Sort slices after collecting keys or values from map iteration

## Warning Signs

- [MEDIUM] Map iteration order in Go is non-deterministic. This code converts a map
to a slice without sorting, which will produce 

## Consequences

- 보호 메커니즘 우회
- 권한 획득

## Mitigations

- 암호학적으로 안전한 난수 생성기를 사용하세요
- 보안 목적으로 시간 기반이나 순차적인 값을 사용하지 마세요
- 난수 생성 시 충분한 엔트로피를 확보하세요

## Detection

- Total rules: 1
- Languages: go

## Rules by Language

### Go (1 rules)

- **Non-deterministic Map Iteration** [MEDIUM]: Converts map to slice without sorting, producing non-deterministic output.
  - Remediation: Add sorting after collecting keys/values from the map:

```go
// Before (non-deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
return result  // Order varies!

// After (deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
sort.Strings(result)  // Always same order
return result
```

For non-string types, use sort.Slice:
```go
sort.Slice(result, func(i, j int) bool {
    return result[i].Name < result[j].Name
})
```