Databases

Represents gorm.DB, the primary database handle in GORM v2. Raw(), Exec(), and Where() with string arguments are SQL injection sinks when called with unsanitized user input.

Go third-party package — k8s.io/client-go. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

MongoDB Go driver Collection and Client. Queries built from user input via bson.D or bson.M with string interpolation are NoSQL injection sinks. The filter argument on Find/Update/Delete operations is where tainted input lands.

pgx PostgreSQL driver. Connection and Pool types expose Query/Exec/QueryRow that accept raw SQL strings — injection sinks when the SQL is built from user input. pgx is the recommended Postgres driver for new Go projects.

go-redis Client for Redis operations. Most Redis commands are typed and safe, but Eval() and EvalSha() accept Lua scripts that can be injection sinks when the script body is user-controlled. ACL commands can also be sinks.

Represents sqlx.DB and sqlx.Tx from the sqlx library, which extends database/sql with struct scanning. Unsafe query methods (QueryUnsafe, GetUnsafe) and raw string methods are injection sinks.