Reduce FPs

* Restrict allowed types in the flow step

* Discard more non-crypto-related TLS APIs

Author: atorralba

go/ql/lib/semmle/go/security/InsecureRandomness.qll

@@ -49,10 +49,14 @@ module InsecureRandomness {
 
     predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
       // Allow flow from tainted indexes to the base expression.
-      // Randomly selecting a character/substring from a predefined set
+      // Randomly selecting a character/substring/integer from a predefined set
       // with a weak RNG is also a security risk if the result is used in
       // a sensitive function.
-      n1.asExpr() = n2.asExpr().(IndexExpr).getIndex()
+      n1.asExpr() = n2.asExpr().(IndexExpr).getIndex() and
+      (
+        n2.getType() instanceof StringType or
+        n2.getType() instanceof IntegerType
+      )
     }
   }
 

go/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll

@@ -59,6 +59,7 @@ module InsecureRandomness {
         not (pkg = "crypto/rand" and name = "Read") and
         // `crypto/cipher` APIs for reading/writing encrypted streams
         not (pkg = "crypto/cipher" and name = ["Read", "Write"]) and
+        not (pkg = "crypto/tls" and name = ["Client", "Dial", "DialWithDialer"]) and
         // Some interfaces in the `crypto` package are the same as interfaces
         // elsewhere, e.g. tls.listener is the same as net.Listener
         not fn.hasQualifiedName(nonCryptoInterface(), _) and