feat(profiling): Add way to reject bad sdk versions for select orgs (#97574)

8.49.2 of the cocoa sdk fixed a bug where you might get profiles even if
it was never configured. This adds a way to reject profiles from these
older sdks on a per org basis. We can't turn this on for all orgs as it
means unaffected orgs will lose all their profiles.

Author: Zylphrex

src/sentry/features/temporary.py

@@ -304,6 +304,8 @@ def register_temporary_features(manager: FeatureManager):
     manager.add("organizations:profiling-sdks", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
     # Enables dropping of deprecated profiling sdks used
     manager.add("organizations:profiling-deprecate-sdks", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
+    # Enables dropping of profiles that may come from buggy sdks
+    manager.add("organizations:profiling-reject-sdks", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
     # Enables production profiling in sentry browser application
     manager.add("organizations:profiling-browser", OrganizationFeature, FeatureHandlerStrategy.INTERNAL, api_expose=False)
     # Enables separate differential flamegraph page

src/sentry/models/projectsdk.py

@@ -15,6 +15,7 @@
 from sentry.db.models.base import DefaultFieldsModel
 from sentry.locks import locks
 from sentry.models.project import Project
+from sentry.options import UnknownOption
 from sentry.sdk_updates import get_sdk_index
 from sentry.utils import metrics
 from sentry.utils.cache import cache
@@ -175,11 +176,36 @@ def normalize_sdk_name(sdk_name: str) -> str | None:
 
 
 MINIMUM_SDK_VERSION_OPTIONS: dict[tuple[int, str], str] = {
+    (EventType.PROFILE.value, "sentry.cocoa"): "sdk-deprecation.profile.cocoa",
     (EventType.PROFILE_CHUNK.value, "sentry.cocoa"): "sdk-deprecation.profile-chunk.cocoa",
     (EventType.PROFILE_CHUNK.value, "sentry.python"): "sdk-deprecation.profile-chunk.python",
 }
 
 
+def get_rejected_sdk_version(event_type: int, sdk_name: str) -> Version | None:
+    parts = sdk_name.split(".", 2)
+    if len(parts) < 2:
+        return None
+
+    normalized_sdk_name = ".".join(parts[:2])
+
+    sdk_version_option = MINIMUM_SDK_VERSION_OPTIONS.get((event_type, normalized_sdk_name))
+    if sdk_version_option is None:
+        return None
+
+    try:
+        sdk_version = options.get(f"{sdk_version_option}.reject")
+    except UnknownOption:
+        sdk_version = None
+
+    if sdk_version:
+        try:
+            return parse_version(sdk_version)
+        except InvalidVersion as e:
+            sentry_sdk.capture_exception(e)
+    return None
+
+
 def get_minimum_sdk_version(event_type: int, sdk_name: str, hard_limit: bool) -> Version | None:
     parts = sdk_name.split(".", 2)
     if len(parts) < 2:
@@ -191,10 +217,13 @@ def get_minimum_sdk_version(event_type: int, sdk_name: str, hard_limit: bool) ->
     if sdk_version_option is None:
         return None
 
-    if hard_limit:
-        sdk_version = options.get(f"{sdk_version_option}.hard")
-    else:
-        sdk_version = options.get(sdk_version_option)
+    try:
+        if hard_limit:
+            sdk_version = options.get(f"{sdk_version_option}.hard")
+        else:
+            sdk_version = options.get(sdk_version_option)
+    except UnknownOption:
+        sdk_version = None
 
     if sdk_version:
         try:

src/sentry/options/defaults.py

@@ -3392,6 +3392,16 @@
     default="8.49.0",
     flags=FLAG_AUTOMATOR_MODIFIABLE,
 )
+register(
+    "sdk-deprecation.profile-chunk.cocoa.reject",
+    default="8.49.2",
+    flags=FLAG_AUTOMATOR_MODIFIABLE,
+)
+register(
+    "sdk-deprecation.profile.cocoa.reject",
+    default="8.49.2",
+    flags=FLAG_AUTOMATOR_MODIFIABLE,
+)
 
 
 # Orgs for which compression should be disabled in the chunk upload endpoint.

src/sentry/profiles/task.py

@@ -31,7 +31,12 @@
 from sentry.models.files.utils import get_profiles_storage
 from sentry.models.organization import Organization
 from sentry.models.project import Project
-from sentry.models.projectsdk import EventType, ProjectSDK, get_minimum_sdk_version
+from sentry.models.projectsdk import (
+    EventType,
+    ProjectSDK,
+    get_minimum_sdk_version,
+    get_rejected_sdk_version,
+)
 from sentry.objectstore.metrics import measure_storage_operation
 from sentry.profiles.java import (
     convert_android_methods_to_jvm_frames,
@@ -310,6 +315,9 @@ def _is_deprecated(profile: Profile, project: Project, organization: Organizatio
     try:
         sdk_name, sdk_version = determine_client_sdk(profile, event_type)
     except UnknownClientSDKException:
+        # unknown SDKs happen because older sdks didn't send the sdk version
+        # in the payload, so if we cant determine the client sdk, we assume
+        # it's one of the deprecated versions
         _track_outcome(
             profile=profile,
             project=project,
@@ -331,18 +339,31 @@ def _is_deprecated(profile: Profile, project: Project, organization: Organizatio
         # update the version so we can skip the update from this event
         return False
 
-    if not is_sdk_deprecated(event_type, sdk_name, sdk_version):
-        return False
+    if features.has("organizations:profiling-reject-sdks", organization) and is_sdk_rejected(
+        organization, event_type, sdk_name, sdk_version
+    ):
+        _track_outcome(
+            profile=profile,
+            project=project,
+            outcome=Outcome.FILTERED,
+            categories=[category],
+            reason="rejected sdk",
+        )
+        return True
 
-    _track_outcome(
-        profile=profile,
-        project=project,
-        outcome=Outcome.FILTERED,
-        categories=[category],
-        reason="deprecated sdk",
-    )
+    if features.has("organizations:profiling-deprecate-sdks", organization) and is_sdk_deprecated(
+        event_type, sdk_name, sdk_version
+    ):
+        _track_outcome(
+            profile=profile,
+            project=project,
+            outcome=Outcome.FILTERED,
+            categories=[category],
+            reason="deprecated sdk",
+        )
+        return True
 
-    return features.has("organizations:profiling-deprecate-sdks", organization)
+    return False
 
 
 JS_PLATFORMS = ["javascript", "node"]
@@ -1306,6 +1327,36 @@ def is_sdk_deprecated(event_type: EventType, sdk_name: str, sdk_version: str) ->
     return True
 
 
+def is_sdk_rejected(
+    organization: Organization, event_type: EventType, sdk_name: str, sdk_version: str
+) -> bool:
+    rejected_version = get_rejected_sdk_version(event_type.value, sdk_name)
+
+    # no rejected sdk version was specified
+    if rejected_version is None:
+        return False
+
+    try:
+        version = parse_version(sdk_version)
+    except InvalidVersion:
+        return False
+
+    # satisfies the rejected sdk version
+    if version >= rejected_version:
+        return False
+
+    parts = sdk_name.split(".", 2)
+    if len(parts) >= 2:
+        normalized_sdk_name = ".".join(parts[:2])
+        metrics.incr(
+            "process_profile.sdk.rejected",
+            tags={"sdk_name": normalized_sdk_name},
+            sample_rate=1.0,
+        )
+
+    return True
+
+
 @metrics.wraps("process_profile.process_vroomrs_profile")
 def _process_vroomrs_profile(profile: Profile, project: Project) -> bool:
     if "profiler_id" in profile:

tests/sentry/profiles/test_task.py

@@ -1134,6 +1134,67 @@ def test_deprecated_sdks(
         _push_profile_to_vroom.assert_called()
 
 
+@patch("sentry.profiles.task._track_outcome")
+@patch("sentry.profiles.task._push_profile_to_vroom")
+@django_db_all
+@pytest.mark.parametrize(
+    ["profile", "category", "sdk_version", "dropped"],
+    [
+        pytest.param("sample_v1_profile", DataCategory.PROFILE, "2.23.0", True),
+        pytest.param("sample_v2_profile", DataCategory.PROFILE_CHUNK, "2.23.0", True),
+        pytest.param("sample_v2_profile", DataCategory.PROFILE_CHUNK, "2.24.0", False),
+        pytest.param("sample_v2_profile", DataCategory.PROFILE_CHUNK, "2.24.1", False),
+    ],
+)
+def test_rejected_sdks(
+    _push_profile_to_vroom,
+    _track_outcome,
+    profile,
+    category,
+    sdk_version,
+    dropped,
+    organization,
+    project,
+    request,
+):
+    profile = request.getfixturevalue(profile)
+    profile["organization_id"] = organization.id
+    profile["project_id"] = project.id
+    profile["client_sdk"] = {
+        "name": "sentry.cocoa",
+        "version": sdk_version,
+    }
+
+    with Feature(
+        [
+            "organizations:profiling-sdks",
+            "organizations:profiling-deprecate-sdks",
+            "organizations:profiling-reject-sdks",
+        ]
+    ):
+        with override_options(
+            {
+                "sdk-deprecation.profile-chunk.cocoa": "2.24.1",
+                "sdk-deprecation.profile-chunk.cocoa.hard": "2.24.0",
+                "sdk-deprecation.profile-chunk.cocoa.reject": "2.23.1",
+                "sdk-deprecation.profile.cocoa.reject": "2.23.1",
+            }
+        ):
+            process_profile_task(profile=profile)
+
+    if dropped:
+        _push_profile_to_vroom.assert_not_called()
+        _track_outcome.assert_called_with(
+            profile=profile,
+            project=project,
+            outcome=Outcome.FILTERED,
+            categories=[category],
+            reason="rejected sdk",
+        )
+    else:
+        _push_profile_to_vroom.assert_called()
+
+
 @patch("sentry.profiles.task._symbolicate_profile")
 @patch("sentry.profiles.task._deobfuscate_profile")
 @patch("sentry.profiles.task._push_profile_to_vroom")