Merge pull request #328 from owen-mc/gorm-exec

Update GORM model
2026-01-29 22:32:58 +01:00 · 2020-09-11 08:41:09 +01:00
parent 3758c6b7d8 13e82de53d
commit e9bf3317b5
8 changed files with 831 additions and 28 deletions
--- a/change-notes/2020-09-10-gorm-model-improved.md
+++ b/change-notes/2020-09-10-gorm-model-improved.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Support for the [GORM](https://github.com/go-gorm/gorm) ORM library (specifically, its SQL
+  statement building facilities) has been improved, which may lead to more results from the
+  security queries.
--- a/ql/src/semmle/go/frameworks/SQL.qll
+++ b/ql/src/semmle/go/frameworks/SQL.qll
@@ -161,13 +161,15 @@ module SQL {
    }
  }

-  /** A model for sinks of github.com/jinzhu/gorm. */
+  /** A model for sinks of GORM. */
  private class GormSink extends SQL::QueryString::Range {
    GormSink() {
-      exists(Method meth, string name |
-        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
+      exists(Method meth, string package, string name |
+        meth.hasQualifiedName(package, "DB", name) and
        this = meth.getACall().getArgument(0) and
-        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]
+        package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and
+        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having",
+              "Joins", "Exec", "Distinct", "Pluck"]
      )
    }
  }
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod
@@ -3,5 +3,6 @@ module gormtest
 go 1.14

 require (
-	github.com/jinzhu/gorm v1.9.15
+	github.com/jinzhu/gorm v1.9.16
+	gorm.io/gorm v1.20.0
 )
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
@@ -1,9 +1,25 @@
-| gorm.go:15:11:15:19 | untrusted |
-| gorm.go:16:9:16:17 | untrusted |
-| gorm.go:17:11:17:19 | untrusted |
-| gorm.go:18:8:18:16 | untrusted |
-| gorm.go:19:12:19:20 | untrusted |
-| gorm.go:20:11:20:19 | untrusted |
-| gorm.go:21:11:21:19 | untrusted |
-| gorm.go:22:12:22:20 | untrusted |
-| gorm.go:23:11:23:19 | untrusted |
+| gorm.go:20:12:20:20 | untrusted | github.com/jinzhu/gorm | DB | Where |
+| gorm.go:21:10:21:18 | untrusted | github.com/jinzhu/gorm | DB | Raw |
+| gorm.go:22:10:22:18 | untrusted | github.com/jinzhu/gorm | DB | Not |
+| gorm.go:23:12:23:20 | untrusted | github.com/jinzhu/gorm | DB | Order |
+| gorm.go:24:9:24:17 | untrusted | github.com/jinzhu/gorm | DB | Or |
+| gorm.go:25:13:25:21 | untrusted | github.com/jinzhu/gorm | DB | Select |
+| gorm.go:26:12:26:20 | untrusted | github.com/jinzhu/gorm | DB | Table |
+| gorm.go:27:12:27:20 | untrusted | github.com/jinzhu/gorm | DB | Group |
+| gorm.go:28:13:28:21 | untrusted | github.com/jinzhu/gorm | DB | Having |
+| gorm.go:29:12:29:20 | untrusted | github.com/jinzhu/gorm | DB | Joins |
+| gorm.go:30:11:30:19 | untrusted | github.com/jinzhu/gorm | DB | Exec |
+| gorm.go:31:12:31:20 | untrusted | github.com/jinzhu/gorm | DB | Pluck |
+| gorm.go:34:12:34:20 | untrusted | gorm.io/gorm | DB | Where |
+| gorm.go:35:10:35:18 | untrusted | gorm.io/gorm | DB | Raw |
+| gorm.go:36:10:36:18 | untrusted | gorm.io/gorm | DB | Not |
+| gorm.go:37:12:37:20 | untrusted | gorm.io/gorm | DB | Order |
+| gorm.go:38:9:38:17 | untrusted | gorm.io/gorm | DB | Or |
+| gorm.go:39:13:39:21 | untrusted | gorm.io/gorm | DB | Select |
+| gorm.go:40:12:40:20 | untrusted | gorm.io/gorm | DB | Table |
+| gorm.go:41:12:41:20 | untrusted | gorm.io/gorm | DB | Group |
+| gorm.go:42:13:42:21 | untrusted | gorm.io/gorm | DB | Having |
+| gorm.go:43:12:43:20 | untrusted | gorm.io/gorm | DB | Joins |
+| gorm.go:44:11:44:19 | untrusted | gorm.io/gorm | DB | Exec |
+| gorm.go:45:15:45:23 | untrusted | gorm.io/gorm | DB | Distinct |
+| gorm.go:46:12:46:20 | untrusted | gorm.io/gorm | DB | Pluck |
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
@@ -1,7 +1,11 @@
 package gormtest

+//go:generate depstubber -vendor github.com/jinzhu/gorm DB
+//go:generate depstubber -vendor gorm.io/gorm DB
+
 import (
-	"github.com/jinzhu/gorm"
+	gorm1 "github.com/jinzhu/gorm"
+	gorm2 "gorm.io/gorm"
 )

 func getUntrustedString() string {
@@ -10,16 +14,35 @@ func getUntrustedString() string {

 func main() {

-	db := gorm.DB{}
 	untrusted := getUntrustedString()
-	db.Where(untrusted)
-	db.Not(untrusted)
-	db.Order(untrusted)
-	db.Or(untrusted)
-	db.Select(untrusted)
-	db.Table(untrusted)
-	db.Group(untrusted)
-	db.Having(untrusted)
-	db.Joins(untrusted)
+
+	db1 := gorm1.DB{}
+	db1.Where(untrusted)
+	db1.Raw(untrusted)
+	db1.Not(untrusted)
+	db1.Order(untrusted)
+	db1.Or(untrusted)
+	db1.Select(untrusted)
+	db1.Table(untrusted)
+	db1.Group(untrusted)
+	db1.Having(untrusted)
+	db1.Joins(untrusted)
+	db1.Exec(untrusted)
+	db1.Pluck(untrusted, nil)
+
+	db2 := gorm2.DB{}
+	db2.Where(untrusted)
+	db2.Raw(untrusted)
+	db2.Not(untrusted)
+	db2.Order(untrusted)
+	db2.Or(untrusted)
+	db2.Select(untrusted)
+	db2.Table(untrusted)
+	db2.Group(untrusted)
+	db2.Having(untrusted)
+	db2.Joins(untrusted)
+	db2.Exec(untrusted)
+	db2.Distinct(untrusted)
+	db2.Pluck(untrusted, nil)

 }
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql
@@ -1,4 +1,5 @@
 import go

-from SQL::QueryString qs
-select qs
+from SQL::QueryString qs, Method meth, string a, string b, string c
+where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getArgument(0)
+select qs, a, b, c
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go
@@ -0,0 +1,753 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for gorm.io/gorm, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: gorm.io/gorm (exports: DB; functions: )
+
+// Package gorm is a stub of gorm.io/gorm, generated by depstubber.
+package gorm
+
+import (
+	context "context"
+	sql "database/sql"
+	reflect "reflect"
+	strings "strings"
+	sync "sync"
+	time "time"
+)
+
+type Association struct {
+	DB           *DB
+	Relationship interface{}
+	Error        error
+}
+
+func (_ *Association) Append(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *Association) Clear() error {
+	return nil
+}
+
+func (_ *Association) Count() int64 {
+	return 0
+}
+
+func (_ *Association) Delete(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *Association) Find(_ interface{}, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Association) Replace(_ ...interface{}) error {
+	return nil
+}
+
+type Config struct {
+	SkipDefaultTransaction                   bool
+	NamingStrategy                           interface{}
+	Logger                                   interface{}
+	NowFunc                                  func() time.Time
+	DryRun                                   bool
+	PrepareStmt                              bool
+	DisableAutomaticPing                     bool
+	DisableForeignKeyConstraintWhenMigrating bool
+	AllowGlobalUpdate                        bool
+	ClauseBuilders                           map[string]interface{}
+	ConnPool                                 ConnPool
+	Dialector                                Dialector
+	Plugins                                  map[string]Plugin
+}
+
+func (_ Config) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {}
+
+func (_ Config) DataTypeOf(_ interface{}) string {
+	return ""
+}
+
+func (_ Config) DefaultValueOf(_ interface{}) interface{} {
+	return nil
+}
+
+func (_ Config) Explain(_ string, _ ...interface{}) string {
+	return ""
+}
+
+func (_ Config) Initialize(_ *DB) error {
+	return nil
+}
+
+func (_ Config) Migrator(_ *DB) Migrator {
+	return nil
+}
+
+func (_ Config) Name() string {
+	return ""
+}
+
+func (_ Config) QuoteTo(_ interface{}, _ string) {}
+
+type ConnPool interface {
+	ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error)
+	PrepareContext(_ context.Context, _ string) (*sql.Stmt, error)
+	QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error)
+	QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row
+}
+
+type DB struct {
+	Config       *Config
+	Error        error
+	RowsAffected int64
+	Statement    *Statement
+}
+
+func (_ DB) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {}
+
+func (_ DB) DataTypeOf(_ interface{}) string {
+	return ""
+}
+
+func (_ DB) DefaultValueOf(_ interface{}) interface{} {
+	return nil
+}
+
+func (_ DB) Explain(_ string, _ ...interface{}) string {
+	return ""
+}
+
+func (_ DB) Initialize(_ *DB) error {
+	return nil
+}
+
+func (_ DB) Name() string {
+	return ""
+}
+
+func (_ DB) QuoteTo(_ interface{}, _ string) {}
+
+func (_ *DB) AddError(_ error) error {
+	return nil
+}
+
+func (_ *DB) Assign(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Association(_ string) *Association {
+	return nil
+}
+
+func (_ *DB) Attrs(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) AutoMigrate(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *DB) Begin(_ ...*sql.TxOptions) *DB {
+	return nil
+}
+
+func (_ *DB) Callback() interface{} {
+	return nil
+}
+
+func (_ *DB) Clauses(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Commit() *DB {
+	return nil
+}
+
+func (_ *DB) Count(_ *int64) *DB {
+	return nil
+}
+
+func (_ *DB) Create(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) DB() (*sql.DB, error) {
+	return nil, nil
+}
+
+func (_ *DB) Debug() *DB {
+	return nil
+}
+
+func (_ *DB) Delete(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Distinct(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Exec(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Find(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) FindInBatches(_ interface{}, _ int, _ func(*DB, int) error) *DB {
+	return nil
+}
+
+func (_ *DB) First(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) FirstOrCreate(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) FirstOrInit(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Get(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ *DB) Group(_ string) *DB {
+	return nil
+}
+
+func (_ *DB) Having(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) InstanceGet(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ *DB) InstanceSet(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Joins(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Last(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Limit(_ int) *DB {
+	return nil
+}
+
+func (_ *DB) Migrator() Migrator {
+	return nil
+}
+
+func (_ *DB) Model(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Not(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Offset(_ int) *DB {
+	return nil
+}
+
+func (_ *DB) Omit(_ ...string) *DB {
+	return nil
+}
+
+func (_ *DB) Or(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Order(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Pluck(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Preload(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Raw(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Rollback() *DB {
+	return nil
+}
+
+func (_ *DB) RollbackTo(_ string) *DB {
+	return nil
+}
+
+func (_ *DB) Row() *sql.Row {
+	return nil
+}
+
+func (_ *DB) Rows() (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) Save(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) SavePoint(_ string) *DB {
+	return nil
+}
+
+func (_ *DB) Scan(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) ScanRows(_ *sql.Rows, _ interface{}) error {
+	return nil
+}
+
+func (_ *DB) Scopes(_ ...func(*DB) *DB) *DB {
+	return nil
+}
+
+func (_ *DB) Select(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Session(_ *Session) *DB {
+	return nil
+}
+
+func (_ *DB) Set(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) SetupJoinTable(_ interface{}, _ string, _ interface{}) error {
+	return nil
+}
+
+func (_ *DB) Table(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Take(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Transaction(_ func(*DB) error, _ ...*sql.TxOptions) error {
+	return nil
+}
+
+func (_ *DB) Unscoped() *DB {
+	return nil
+}
+
+func (_ *DB) Update(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) UpdateColumn(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) UpdateColumns(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Updates(_ interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) Use(_ Plugin) error {
+	return nil
+}
+
+func (_ *DB) Where(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ *DB) WithContext(_ context.Context) *DB {
+	return nil
+}
+
+type Dialector interface {
+	BindVarTo(_ interface{}, _ *Statement, _ interface{})
+	DataTypeOf(_ interface{}) string
+	DefaultValueOf(_ interface{}) interface{}
+	Explain(_ string, _ ...interface{}) string
+	Initialize(_ *DB) error
+	Migrator(_ *DB) Migrator
+	Name() string
+	QuoteTo(_ interface{}, _ string)
+}
+
+type Migrator interface {
+	AddColumn(_ interface{}, _ string) error
+	AlterColumn(_ interface{}, _ string) error
+	AutoMigrate(_ ...interface{}) error
+	ColumnTypes(_ interface{}) ([]*sql.ColumnType, error)
+	CreateConstraint(_ interface{}, _ string) error
+	CreateIndex(_ interface{}, _ string) error
+	CreateTable(_ ...interface{}) error
+	CreateView(_ string, _ ViewOption) error
+	CurrentDatabase() string
+	DropColumn(_ interface{}, _ string) error
+	DropConstraint(_ interface{}, _ string) error
+	DropIndex(_ interface{}, _ string) error
+	DropTable(_ ...interface{}) error
+	DropView(_ string) error
+	FullDataTypeOf(_ interface{}) interface{}
+	HasColumn(_ interface{}, _ string) bool
+	HasConstraint(_ interface{}, _ string) bool
+	HasIndex(_ interface{}, _ string) bool
+	HasTable(_ interface{}) bool
+	MigrateColumn(_ interface{}, _ interface{}, _ *sql.ColumnType) error
+	RenameColumn(_ interface{}, _ string, _ string) error
+	RenameIndex(_ interface{}, _ string, _ string) error
+	RenameTable(_ interface{}, _ interface{}) error
+}
+
+type Plugin interface {
+	Initialize(_ *DB) error
+	Name() string
+}
+
+type Session struct {
+	DryRun                 bool
+	PrepareStmt            bool
+	WithConditions         bool
+	SkipDefaultTransaction bool
+	AllowGlobalUpdate      bool
+	Context                context.Context
+	Logger                 interface{}
+	NowFunc                func() time.Time
+}
+
+type Statement struct {
+	DB                   *DB
+	TableExpr            interface{}
+	Table                string
+	Model                interface{}
+	Unscoped             bool
+	Dest                 interface{}
+	ReflectValue         reflect.Value
+	Clauses              map[string]interface{}
+	Distinct             bool
+	Selects              []string
+	Omits                []string
+	Joins                []interface{}
+	Preloads             map[string][]interface{}
+	Settings             sync.Map
+	ConnPool             ConnPool
+	Schema               interface{}
+	Context              context.Context
+	RaiseErrorOnNotFound bool
+	UpdatingColumn       bool
+	SQL                  strings.Builder
+	Vars                 []interface{}
+	CurDestIndex         int
+}
+
+func (_ Statement) AddError(_ error) error {
+	return nil
+}
+
+func (_ Statement) Assign(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Association(_ string) *Association {
+	return nil
+}
+
+func (_ Statement) Attrs(_ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) AutoMigrate(_ ...interface{}) error {
+	return nil
+}
+
+func (_ Statement) Begin(_ ...*sql.TxOptions) *DB {
+	return nil
+}
+
+func (_ Statement) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {}
+
+func (_ Statement) Callback() interface{} {
+	return nil
+}
+
+func (_ Statement) Commit() *DB {
+	return nil
+}
+
+func (_ Statement) Count(_ *int64) *DB {
+	return nil
+}
+
+func (_ Statement) Create(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) DataTypeOf(_ interface{}) string {
+	return ""
+}
+
+func (_ Statement) Debug() *DB {
+	return nil
+}
+
+func (_ Statement) DefaultValueOf(_ interface{}) interface{} {
+	return nil
+}
+
+func (_ Statement) Delete(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Exec(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Explain(_ string, _ ...interface{}) string {
+	return ""
+}
+
+func (_ Statement) Find(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) FindInBatches(_ interface{}, _ int, _ func(*DB, int) error) *DB {
+	return nil
+}
+
+func (_ Statement) First(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) FirstOrCreate(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) FirstOrInit(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Get(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ Statement) Group(_ string) *DB {
+	return nil
+}
+
+func (_ Statement) Having(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Initialize(_ *DB) error {
+	return nil
+}
+
+func (_ Statement) InstanceGet(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ Statement) InstanceSet(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Last(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Limit(_ int) *DB {
+	return nil
+}
+
+func (_ Statement) Migrator() Migrator {
+	return nil
+}
+
+func (_ Statement) Name() string {
+	return ""
+}
+
+func (_ Statement) Not(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Offset(_ int) *DB {
+	return nil
+}
+
+func (_ Statement) Omit(_ ...string) *DB {
+	return nil
+}
+
+func (_ Statement) Or(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Order(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Pluck(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Preload(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Raw(_ string, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Rollback() *DB {
+	return nil
+}
+
+func (_ Statement) RollbackTo(_ string) *DB {
+	return nil
+}
+
+func (_ Statement) Row() *sql.Row {
+	return nil
+}
+
+func (_ Statement) Rows() (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ Statement) Save(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) SavePoint(_ string) *DB {
+	return nil
+}
+
+func (_ Statement) Scan(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) ScanRows(_ *sql.Rows, _ interface{}) error {
+	return nil
+}
+
+func (_ Statement) Scopes(_ ...func(*DB) *DB) *DB {
+	return nil
+}
+
+func (_ Statement) Select(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Session(_ *Session) *DB {
+	return nil
+}
+
+func (_ Statement) Set(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) SetupJoinTable(_ interface{}, _ string, _ interface{}) error {
+	return nil
+}
+
+func (_ Statement) Take(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Transaction(_ func(*DB) error, _ ...*sql.TxOptions) error {
+	return nil
+}
+
+func (_ Statement) Update(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) UpdateColumn(_ string, _ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) UpdateColumns(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Updates(_ interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) Use(_ Plugin) error {
+	return nil
+}
+
+func (_ Statement) Where(_ interface{}, _ ...interface{}) *DB {
+	return nil
+}
+
+func (_ Statement) WithContext(_ context.Context) *DB {
+	return nil
+}
+
+func (_ *Statement) AddClause(_ interface{}) {}
+
+func (_ *Statement) AddClauseIfNotExists(_ interface{}) {}
+
+func (_ *Statement) AddVar(_ interface{}, _ ...interface{}) {}
+
+func (_ *Statement) Build(_ ...string) {}
+
+func (_ *Statement) BuildCondition(_ interface{}, _ ...interface{}) []interface{} {
+	return nil
+}
+
+func (_ *Statement) Changed(_ ...string) bool {
+	return false
+}
+
+func (_ *Statement) Parse(_ interface{}) error {
+	return nil
+}
+
+func (_ *Statement) Quote(_ interface{}) string {
+	return ""
+}
+
+func (_ *Statement) QuoteTo(_ interface{}, _ interface{}) {}
+
+func (_ *Statement) SelectAndOmitColumns(_ bool, _ bool) (map[string]bool, bool) {
+	return nil, false
+}
+
+func (_ *Statement) SetColumn(_ string, _ interface{}) {}
+
+func (_ *Statement) WriteByte(_ byte) error {
+	return nil
+}
+
+func (_ *Statement) WriteQuoted(_ interface{}) {}
+
+func (_ *Statement) WriteString(_ string) (int, error) {
+	return 0, nil
+}
+
+type ViewOption struct {
+	Replace     bool
+	CheckOption string
+	Query       *DB
+}
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt
@@ -1,3 +1,6 @@
-# github.com/jinzhu/gorm v1.9.15
+# github.com/jinzhu/gorm v1.9.16
 ## explicit
 github.com/jinzhu/gorm
+# gorm.io/gorm v1.20.0
+## explicit
+gorm.io/gorm