# Use of Insufficiently Random Values (CWE-330)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

- Prevalence: High Frequently exploited
- Impact: Medium Review recommended
- Prevention: Documented 1 fix examples

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When random values are predictable, attackers can guess them and bypass security mechanisms that depend on their unpredictability, such as session tokens, CSRF tokens, or cryptographic nonces.

## Prevention

### Go

Sort slices after collecting keys or values from map iteration

## Warning Signs

- [MEDIUM] Map iteration order in Go is non-deterministic. This code converts a map
to a slice without sorting, which will produce 

## Consequences

- Bypass Protection Mechanism
- Gain Privileges

## Mitigations

- Use cryptographically secure random number generators
- Do not use time-based or sequential values for security purposes
- Ensure sufficient entropy in random number generation

## Detection

- Total rules: 1
- Languages: go

## Rules by Language

### Go (1 rules)

- **Non-deterministic Map Iteration** [MEDIUM]: Converts map to slice without sorting, producing non-deterministic output.
  - Remediation: Add sorting after collecting keys/values from the map:

```go
// Before (non-deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
return result  // Order varies!

// After (deterministic):
result := make([]string, 0, len(myMap))
for key := range myMap {
    result = append(result, key)
}
sort.Strings(result)  // Always same order
return result
```

For non-string types, use sort.Slice:
```go
sort.Slice(result, func(i, j int) bool {
    return result[i].Name < result[j].Name
})
```