feat(detectors): add gorm as excluded package in sql injection detector (#96860)

roggenkemper · andrewshie-sentry · commit d01c3269e278 · 2025-08-04T15:08:05.000-07:00
this pr filters events with the `gorm` package - which is known to cause
false positive for sql injection
diff --git a/fixtures/events/performance_problems/sql-injection/sql-injection-event-gorm.json b/fixtures/events/performance_problems/sql-injection/sql-injection-event-gorm.json
@@ -0,0 +1,166 @@
+{
+  "event_id": "5d6401994d7949d2ac3474f472564370",
+  "platform": "go",
+  "message": "",
+  "datetime": "2025-05-12T22:42:38.642986+00:00",
+  "breakdowns": {
+    "span_ops": {
+      "ops.db": {
+        "value": 65.715075,
+        "unit": "millisecond"
+      },
+      "total.time": {
+        "value": 67.105293,
+        "unit": "millisecond"
+      }
+    }
+  },
+  "request": {
+    "url": "http://localhost:3001/vulnerable-login",
+    "method": "POST",
+    "data": {
+      "username": "bob"
+    }
+  },
+  "modules": {
+    "gorm.io/gorm": "v1.30.0"
+  },
+  "spans": [
+    {
+      "timestamp": 1747089758.567536,
+      "start_timestamp": 1747089758.567,
+      "exclusive_time": 0.536203,
+      "op": "middleware.express",
+      "span_id": "4a06692f4abc8dbe",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "corsMiddleware",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "corsMiddleware",
+        "express.type": "middleware",
+        "sentry.op": "middleware.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.go",
+        "sdk.version": "9.17.0",
+        "platform": "go",
+        "os.name": "macOS",
+        "category": "middleware",
+        "op": "middleware.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "e6088cf8b370ed60"
+    },
+    {
+      "timestamp": 1747089758.568761,
+      "start_timestamp": 1747089758.568,
+      "exclusive_time": 0.761032,
+      "op": "middleware.express",
+      "span_id": "92553d2584d250b8",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "jsonParser",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "jsonParser",
+        "express.type": "middleware",
+        "sentry.op": "middleware.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.go",
+        "sdk.version": "9.17.0",
+        "platform": "go",
+        "os.name": "macOS",
+        "category": "middleware",
+        "op": "middleware.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "c81e963dad9ebc6c"
+    },
+    {
+      "timestamp": 1747089758.569093,
+      "start_timestamp": 1747089758.569,
+      "exclusive_time": 0.092983,
+      "op": "request_handler.express",
+      "span_id": "435146ab0909419d",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "/vulnerable-login",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "/vulnerable-login",
+        "express.type": "request_handler",
+        "http.route": "/vulnerable-login",
+        "sentry.op": "request_handler.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.go",
+        "sdk.version": "9.17.0",
+        "platform": "go",
+        "os.name": "macOS",
+        "op": "request_handler.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "872b0c84a6f1c590"
+    },
+    {
+      "timestamp": 1747089758.637715,
+      "start_timestamp": 1747089758.572,
+      "exclusive_time": 65.715075,
+      "op": "db",
+      "span_id": "4703181ac343f71a",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "SELECT * FROM \"user\" WHERE username = 'bob' AND \"user\".\"deleted_at\" IS NULL ORDER BY \"user\".\"id\" LIMIT 1",
+      "origin": "auto.db.otel.mysql2",
+      "sentry_tags": {
+        "description": "SELECT * FROM \"user\" WHERE username = 'bob' AND \"user\".\"deleted_at\" IS NULL ORDER BY \"user\".\"id\" LIMIT 1"
+      },
+      "data": {
+        "db.system": "mysql",
+        "db.connection_string": "jdbc:mysql://localhost:3306/injection_test",
+        "db.name": "injection_test",
+        "db.statement": "SELECT * FROM \"user\" WHERE username = 'bob' AND \"user\".\"deleted_at\" IS NULL ORDER BY \"user\".\"id\" LIMIT 1",
+        "db.user": "root",
+        "net.peer.name": "localhost",
+        "net.peer.port": 3306,
+        "otel.kind": "CLIENT",
+        "sentry.op": "db",
+        "sentry.origin": "auto.db.otel.mysql2"
+      },
+      "hash": "45330ba0cafa5997"
+    }
+  ]
+}
diff --git a/src/sentry/performance_issues/detectors/sql_injection_detector.py b/src/sentry/performance_issues/detectors/sql_injection_detector.py
@@ -55,7 +55,7 @@
     "PAGE",
 ]
 
-EXCLUDED_PACKAGES = ["github.com/go-sql-driver/mysql", "sequelize"]
+EXCLUDED_PACKAGES = ["github.com/go-sql-driver/mysql", "sequelize", "gorm.io/gorm"]
 PARAMETERIZED_KEYWORDS = ["?", "$1", "%s"]
 
 
diff --git a/tests/sentry/performance_issues/test_sql_injection_detector.py b/tests/sentry/performance_issues/test_sql_injection_detector.py
@@ -86,3 +86,7 @@ def test_sql_injection_on_laravel_query(self) -> None:
     def test_sql_injection_on_query_with_bindings(self) -> None:
         injection_event = get_event("sql-injection/sql-injection-query-with-bindings")
         assert len(self.find_problems(injection_event)) == 0
+
+    def test_sql_injection_on_event_with_gorm(self) -> None:
+        injection_event = get_event("sql-injection/sql-injection-event-gorm")
+        assert len(self.find_problems(injection_event)) == 0

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@`
`55`	`55`	`"PAGE",`
`56`	`56`	`]`
`57`	`57`
`58`		`-EXCLUDED_PACKAGES = ["github.com/go-sql-driver/mysql", "sequelize"]`
	`58`	`+EXCLUDED_PACKAGES = ["github.com/go-sql-driver/mysql", "sequelize", "gorm.io/gorm"]`
`59`	`59`	`PARAMETERIZED_KEYWORDS = ["?", "$1", "%s"]`
`60`	`60`
`61`	`61`