diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
index b2659fffde7..40be0e8df69 100644
--- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
+++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
@@ -1,8 +1,7 @@
 #select
 | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | InsecureRandomness.go:12:18:12:40 | call to Intn | random number |
 | sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 | sample.go:26:25:26:30 | call to Guid | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:15:49:15:61 | call to Uint32 | random number |
-| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:25:37:29 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
-| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:32:37:36 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
+| sample.go:37:35:37:39 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:35:37:39 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
 | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number |
 | sample.go:58:32:58:43 | type conversion | sample.go:55:17:55:42 | call to Intn | sample.go:58:32:58:43 | type conversion | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:55:17:55:42 | call to Intn | random number |
 edges
@@ -13,8 +12,7 @@ edges
 | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | []type{args} [array] | provenance |  |
 | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | call to Sprintf | provenance | FunctionModel |
 | sample.go:16:9:16:15 | slice expression | sample.go:26:25:26:30 | call to Guid | provenance |  |
-| sample.go:33:2:33:6 | definition of nonce | sample.go:37:25:37:29 | nonce | provenance |  |
-| sample.go:33:2:33:6 | definition of nonce | sample.go:37:32:37:36 | nonce | provenance |  |
+| sample.go:33:2:33:6 | definition of nonce | sample.go:37:35:37:39 | nonce | provenance |  |
 | sample.go:34:12:34:40 | call to New | sample.go:35:14:35:19 | random | provenance |  |
 | sample.go:35:14:35:19 | random | sample.go:33:2:33:6 | definition of nonce | provenance | MaD:2 |
 | sample.go:55:17:55:42 | call to Intn | sample.go:56:29:56:38 | randNumber | provenance |  |
@@ -36,8 +34,7 @@ nodes
 | sample.go:33:2:33:6 | definition of nonce | semmle.label | definition of nonce |
 | sample.go:34:12:34:40 | call to New | semmle.label | call to New |
 | sample.go:35:14:35:19 | random | semmle.label | random |
-| sample.go:37:25:37:29 | nonce | semmle.label | nonce |
-| sample.go:37:32:37:36 | nonce | semmle.label | nonce |
+| sample.go:37:35:37:39 | nonce | semmle.label | nonce |
 | sample.go:43:17:43:39 | call to Intn | semmle.label | call to Intn |
 | sample.go:44:17:44:39 | call to Intn | semmle.label | call to Intn |
 | sample.go:45:17:45:39 | call to Intn | semmle.label | call to Intn |
diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go
index df703ff0dfa..9eef81f63bb 100644
--- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go
+++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go
@@ -34,7 +34,7 @@ func encrypt(data []byte, password string) []byte {
 	random := rand.New(rand.NewSource(999))
 	io.ReadFull(random, nonce)
 
-	ciphertext := gcm.Seal(nonce, nonce, data, nil) // BAD: use of an insecure rng to generate a nonce
+	ciphertext := gcm.Seal(data[:0], nonce, data, nil) // BAD: use of an insecure rng to generate a nonce
 	return ciphertext
 }