Merge branch 'main' into modelnoise

2025-12-17 01:03:14 +01:00 · 2025-04-17 10:43:15 +01:00
parent 372ba5c9a5 7e108a8a29
commit 8d60e82ec0
14 changed files with 361 additions and 12 deletions
--- a/rust/ql/lib/codeql/rust/Concepts.qll
+++ b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -102,6 +102,58 @@ class ModeledEnvironmentSource extends EnvironmentSource::Range {
  ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
 }

+/**
+ * A data flow source corresponding to a file access.
+ */
+final class FileSource = FileSource::Range;
+
+/**
+ * An externally modeled source for data from a file access.
+ */
+class ModeledFileSource extends FileSource::Range {
+  ModeledFileSource() { sourceNode(this, "file") }
+}
+
+/**
+ * Provides a class for modeling new sources for file accesses.
+ */
+module FileSource {
+  /**
+   * A data flow source corresponding to a file access.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "file" }
+
+    override string getSourceType() { result = "FileSource" }
+  }
+}
+
+/**
+ * A data flow source corresponding to standard input.
+ */
+final class StdInSource = StdInSource::Range;
+
+/**
+ * An externally modeled source for data from standard input.
+ */
+class ModeledStdInSourceSource extends StdInSource::Range {
+  ModeledStdInSourceSource() { sourceNode(this, "stdin") }
+}
+
+/**
+ * Provides a class for modeling new sources for standard input.
+ */
+module StdInSource {
+  /**
+   * A data flow source corresponding to standard input.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "stdin" }
+
+    override string getSourceType() { result = "StdInSource" }
+  }
+}
+
 /**
 * A data flow source corresponding to the program's database reads.
 */
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -2,7 +2,14 @@ extensions:
  - addsTo:
      pack: codeql/rust-all
      extensible: sourceModel
-    data: []
+    data:
+      - ["lang:std", "crate::fs::read", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_to_string", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_link", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::path", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::file_name", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open_buffered", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
  - addsTo:
      pack: codeql/rust-all
      extensible: sinkModel
@@ -34,7 +41,6 @@ extensions:
      - ["lang:std", "<crate::fs::File>::create_new", "Argument[0]", "path-injection", "manual"]
      - ["lang:std", "<crate::fs::File>::open", "Argument[0]", "path-injection", "manual"]
      - ["lang:std", "<crate::fs::File>::open_buffered", "Argument[0]", "path-injection", "manual"]
-
  - addsTo:
      pack: codeql/rust-all
      extensible: summaryModel
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml
@@ -0,0 +1,38 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:std", "crate::io::stdio::stdin", "ReturnValue", "stdin", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader>::new", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader>::buffer", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", ":<crate::io::stdio::Stdin as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", ":<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::split", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::lines", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::chain", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::chain", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::take", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin>::lock", "Argument[self]", "ReturnValue", "taint", "manual"]
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-alloc.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-alloc.model.yml
@@ -32,6 +32,8 @@ extensions:
      # Fmt
      - ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]
      # String
-      - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
-      - ["lang:alloc", "<crate::string::String>::as_bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "value", "manual"]
+      - ["lang:alloc", "<crate::string::String>::as_bytes", "Argument[self]", "ReturnValue", "value", "manual"]
      - ["lang:alloc", "<_ as crate::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:alloc", "<crate::string::String>::parse", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["lang:alloc", "<crate::string::String>::trim", "Argument[self]", "ReturnValue.Reference", "taint", "manual"]
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -40,7 +40,11 @@ extensions:
      - ["lang:core", "crate::ptr::write_unaligned", "Argument[1]", "Argument[0].Reference", "value", "manual"]
      - ["lang:core", "crate::ptr::write_volatile", "Argument[1]", "Argument[0].Reference", "value", "manual"]
      # Str
+      - ["lang:core", "<str>::as_str", "Argument[self]", "ReturnValue", "taint", "value"]
+      - ["lang:core", "<str>::as_bytes", "Argument[self]", "ReturnValue", "taint", "value"]
+      - ["lang:core", "<str>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
      - ["lang:core", "<str>::parse", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["lang:core", "<str>::trim", "Argument[self]", "ReturnValue.Reference", "taint", "manual"]
  - addsTo:
      pack: codeql/rust-all
      extensible: sourceModel
--- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -878,8 +878,25 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<usize as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<usize as crate::bridge::rpc::DecodeMut>::decode |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_:::<crate::io::stdio::Stdin as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_:::<crate::io::stdio::Stdin as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_:::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_:::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_string |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::IoSlice>::advance_slices | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::IoSlice>::advance_slices |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::IoSliceMut>::advance_slices | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::IoSliceMut>::advance_slices |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_to_string |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::BufRead::read_line | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::BufRead::read_line |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_to_string |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode |
@@ -895,6 +912,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0].Reference in lang:core::_::<crate::cell::RefMut>::map_split | &ref | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0] in lang:core::_::<crate::cell::RefMut>::map_split |
 | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0].Reference in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_while | &ref | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_while |
 | file://:0:0:0:0 | [summary] to write: Argument[1].Reference in lang:core::_::<_ as crate::clone::uninit::CopySpec>::clone_one | &ref | file://:0:0:0:0 | [post] [summary param] 1 in lang:core::_::<_ as crate::clone::uninit::CopySpec>::clone_one |
+| file://:0:0:0:0 | [summary] to write: Argument[1].Reference in lang:std::_::crate::io::BufRead::read_until | &ref | file://:0:0:0:0 | [post] [summary param] 1 in lang:std::_::crate::io::BufRead::read_until |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::max_by | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::max_by |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::max_by_key | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::max_by_key |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::min_by | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::min_by |
@@ -1100,6 +1118,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Err(0)].Reference in lang:core::_::<crate::result::Result>::as_ref | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Err(0)] in lang:core::_::<crate::result::Result>::as_ref |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:alloc::_::<crate::collections::btree::node::NodeRef>::search_tree_for_bifurcation | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::collections::btree::node::NodeRef>::search_tree_for_bifurcation |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:alloc::_::<crate::string::String as crate::str::traits::FromStr>::from_str | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String as crate::str::traits::FromStr>::from_str |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:alloc::_::<crate::string::String>::parse | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::parse |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::alloc::layout::Layout>::align_to | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::alloc::layout::Layout>::align_to |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::alloc::layout::Layout>::array | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::alloc::layout::Layout>::array |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::alloc::layout::Layout>::extend | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::alloc::layout::Layout>::extend |
@@ -1123,6 +1142,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::or_else | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::or_else |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<str>::parse | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<str>::parse |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::path::Path>::canonicalize | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::path::Path>::canonicalize |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout |
@@ -1178,6 +1198,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::rc::UniqueRc as crate::convert::AsRef>::as_ref | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::rc::UniqueRc as crate::convert::AsRef>::as_ref |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::string::String as crate::borrow::Borrow>::borrow | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String as crate::borrow::Borrow>::borrow |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::string::String as crate::borrow::BorrowMut>::borrow_mut | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String as crate::borrow::BorrowMut>::borrow_mut |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::string::String>::trim | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::trim |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::sync::Arc as crate::borrow::Borrow>::borrow | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::sync::Arc as crate::borrow::Borrow>::borrow |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::sync::Arc as crate::convert::AsRef>::as_ref | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::sync::Arc as crate::convert::AsRef>::as_ref |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:alloc::_::<crate::vec::Vec as crate::borrow::Borrow>::borrow | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::vec::Vec as crate::borrow::Borrow>::borrow |
@@ -1201,6 +1222,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<crate::option::Option>::insert | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::insert |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<crate::panic::unwind_safe::AssertUnwindSafe as crate::ops::deref::Deref>::deref | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::panic::unwind_safe::AssertUnwindSafe as crate::ops::deref::Deref>::deref |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<crate::panic::unwind_safe::AssertUnwindSafe as crate::ops::deref::DerefMut>::deref_mut | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::panic::unwind_safe::AssertUnwindSafe as crate::ops::deref::DerefMut>::deref_mut |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<str>::trim | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<str>::trim |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<usize as crate::slice::index::SliceIndex>::index | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<usize as crate::slice::index::SliceIndex>::index |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:core::_::<usize as crate::slice::index::SliceIndex>::index_mut | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<usize as crate::slice::index::SliceIndex>::index_mut |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Reference in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode |
--- a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -22,4 +22,28 @@
 | test.rs:80:24:80:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:112:35:112:46 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:119:31:119:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:203:16:203:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |
+| test.rs:205:31:205:43 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:210:31:210:38 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:215:22:215:39 | ...::read_to_string | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:221:22:221:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:222:27:222:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:228:22:228:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:243:22:243:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:249:22:249:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:255:22:255:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:261:9:261:22 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:265:17:265:30 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:271:20:271:38 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:304:50:304:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:310:50:310:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:317:50:317:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:324:50:324:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:331:56:331:69 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:338:50:338:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:345:50:345:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:351:50:351:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:360:25:360:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:361:25:361:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:369:25:369:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:377:22:377:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:386:16:386:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |
--- a/rust/ql/test/library-tests/dataflow/sources/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -198,6 +198,189 @@ async fn test_hyper_http(case: i64) -> Result<(), Box<dyn std::error::Error>> {
    Ok(())
 }

+use std::fs;
+
+fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
+    {
+        let buffer: Vec<u8> = std::fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
+    }
+
+    {
+        let buffer: Vec<u8> = fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
+    }
+
+    {
+        let buffer = fs::read_to_string("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    for entry in fs::read_dir("directory")? {
+        let e = entry?;
+        let path = e.path(); // $ Alert[rust/summary/taint-sources]
+        let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
+        sink(path); // $ hasTaintFlow
+        sink(file_name); // $ hasTaintFlow
+    }
+
+    {
+        let target = fs::read_link("symlink.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(target); // $ hasTaintFlow="symlink.txt"
+    }
+
+    Ok(())
+}
+
+use std::io::Read;
+use std::io::BufRead;
+
+fn test_io_fs() -> std::io::Result<()> {
+    // --- stdin ---
+
+    {
+        let mut buffer = [0u8; 100];
+        let _bytes = std::io::stdin().read(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ MISSING: hasTaintFlow
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = [0; 100];
+        std::io::stdin().read_exact(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    for byte in std::io::stdin().bytes() { // $ Alert[rust/summary/taint-sources]
+        sink(byte); // $ hasTaintFlow
+    }
+
+    // --- file ---
+
+    let mut file = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+
+    {
+        let mut buffer = [0u8; 100];
+        let _bytes = file.read(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let _bytes = file.read_to_end(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = file.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = [0; 100];
+        file.read_exact(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    for byte in file.bytes() {
+        sink(byte); // $ hasTaintFlow="file.txt"
+    }
+
+    // --- BufReader ---
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let data = reader.fill_buf()?;
+        sink(&data); // $ hasTaintFlow
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let data = reader.buffer();
+        sink(&data); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = String::new();
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        reader.read_line(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        reader.read_until(b',', &mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ Alert[rust/summary/taint-sources]
+        while let Some(chunk) = reader_split.next() {
+            sink(chunk.unwrap()); // $ MISSING: hasTaintFlow
+        }
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        for line in reader.lines() {
+            sink(line); // $ hasTaintFlow
+        }
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let line = reader.lines().nth(1).unwrap();
+        sink(line.unwrap().clone()); // $ MISSING: hasTaintFlow
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let lines: Vec<_> = reader.lines().collect();
+        sink(lines[1].as_ref().unwrap().clone()); // $ MISSING: hasTaintFlow
+    }
+
+    // --- misc operations ---
+
+    {
+        let mut buffer = String::new();
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut file2 = std::fs::File::open("another_file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut reader = file1.chain(file2);
+        reader.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt" hasTaintFlow="another_file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut reader = file1.take(100);
+        reader.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    Ok(())
+}
+
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let case = std::env::args().nth(1).unwrap_or(String::from("1")).parse::<i64>().unwrap(); // $ Alert[rust/summary/taint-sources]
--- a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
@@ -1,7 +1,7 @@
 models
 | 1 | Summary: lang:alloc; <_ as crate::string::ToString>::to_string; Argument[self]; ReturnValue; taint |
 | 2 | Summary: lang:alloc; <crate::string::String as crate::convert::From>::from; Argument[0]; ReturnValue; value |
-| 3 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
+| 3 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; value |
 | 4 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint |
 | 5 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value |
 edges
--- a/rust/ql/test/library-tests/dataflow/strings/main.rs
+++ b/rust/ql/test/library-tests/dataflow/strings/main.rs
@@ -61,7 +61,7 @@ fn string_to_string() {

 fn as_str() {
    let s = source(67);
-    sink_slice(s.as_str()); // $ hasTaintFlow=67
+    sink_slice(s.as_str()); // $ hasValueFlow=67
 }

 fn format_args_built_in() {
--- a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected
+++ b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected
@@ -32,11 +32,15 @@ edges
 | sqlx.rs:52:32:52:87 | MacroExpr | sqlx.rs:52:32:52:87 | ...::format(...) | provenance | MaD:4 |
 | sqlx.rs:52:32:52:87 | { ... } | sqlx.rs:52:32:52:87 | ...::must_use(...) | provenance | MaD:9 |
 | sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:63:26:63:39 | unsafe_query_1 [&ref] | provenance |  |
+| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:63:26:63:48 | unsafe_query_1.as_str() | provenance | MaD:3 |
 | sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:74:25:74:38 | unsafe_query_1 [&ref] | provenance |  |
+| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:74:25:74:47 | unsafe_query_1.as_str() | provenance | MaD:3 |
 | sqlx.rs:53:26:53:36 | &arg_string [&ref] | sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | provenance |  |
 | sqlx.rs:53:27:53:36 | arg_string | sqlx.rs:53:26:53:36 | &arg_string [&ref] | provenance |  |
 | sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:65:30:65:43 | unsafe_query_2 [&ref] | provenance |  |
+| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str() | provenance | MaD:3 |
 | sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:76:29:76:42 | unsafe_query_2 [&ref] | provenance |  |
+| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str() | provenance | MaD:3 |
 | sqlx.rs:54:26:54:39 | &remote_string [&ref] | sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | provenance |  |
 | sqlx.rs:54:27:54:39 | remote_string | sqlx.rs:54:26:54:39 | &remote_string [&ref] | provenance |  |
 | sqlx.rs:56:9:56:22 | unsafe_query_4 | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str() | provenance | MaD:3 |
@@ -53,7 +57,7 @@ edges
 models
 | 1 | Source: lang:std; crate::env::args; command-line-source; ReturnValue.Element |
 | 2 | Source: repo:https://github.com/seanmonstar/reqwest:reqwest; crate::blocking::get; remote; ReturnValue.Field[crate::result::Result::Ok(0)] |
-| 3 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
+| 3 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; value |
 | 4 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint |
 | 5 | Summary: lang:core; <crate::option::Option>::unwrap_or; Argument[self].Field[crate::option::Option::Some(0)]; ReturnValue; value |
 | 6 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue; value |
--- a/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
+++ b/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
@@ -226,8 +226,8 @@ models
 | 8 | Sink: lang:std; crate::io::stdio::_print; log-injection; Argument[0] |
 | 9 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[1] |
 | 10 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[3] |
-| 11 | Summary: lang:alloc; <crate::string::String>::as_bytes; Argument[self]; ReturnValue; taint |
-| 12 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
+| 11 | Summary: lang:alloc; <crate::string::String>::as_bytes; Argument[self]; ReturnValue; value |
+| 12 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; value |
 | 13 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint |
 | 14 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
--- a/rust/ql/test/query-tests/security/CWE-328/WeakSensitiveDataHashing.expected
+++ b/rust/ql/test/query-tests/security/CWE-328/WeakSensitiveDataHashing.expected
@@ -12,6 +12,8 @@
 | test.rs:62:9:62:24 | ...::digest | test.rs:62:26:62:37 | password_arr | test.rs:62:9:62:24 | ...::digest | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:62:26:62:37 | password_arr | Sensitive data (password) |
 | test.rs:64:9:64:24 | ...::digest | test.rs:64:26:64:37 | password_vec | test.rs:64:9:64:24 | ...::digest | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:64:26:64:37 | password_vec | Sensitive data (password) |
 | test.rs:77:9:77:33 | ...::new_with_prefix | test.rs:77:35:77:42 | password | test.rs:77:9:77:33 | ...::new_with_prefix | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:77:35:77:42 | password | Sensitive data (password) |
+| test.rs:81:9:81:24 | ...::digest | test.rs:81:26:81:33 | password | test.rs:81:9:81:24 | ...::digest | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:81:26:81:33 | password | Sensitive data (password) |
+| test.rs:83:9:83:24 | ...::digest | test.rs:83:26:83:33 | password | test.rs:83:9:83:24 | ...::digest | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:83:26:83:33 | password | Sensitive data (password) |
 edges
 | test.rs:14:26:14:39 | credit_card_no | test.rs:14:9:14:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
 | test.rs:15:26:15:33 | password | test.rs:15:9:15:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
@@ -26,10 +28,16 @@ edges
 | test.rs:62:26:62:37 | password_arr | test.rs:62:9:62:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
 | test.rs:64:26:64:37 | password_vec | test.rs:64:9:64:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
 | test.rs:77:35:77:42 | password | test.rs:77:9:77:33 | ...::new_with_prefix | provenance | MaD:2 Sink:MaD:2 |
+| test.rs:81:26:81:33 | password | test.rs:81:26:81:40 | password.trim() [&ref] | provenance | MaD:5 |
+| test.rs:81:26:81:40 | password.trim() [&ref] | test.rs:81:9:81:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
+| test.rs:83:26:83:33 | password | test.rs:83:26:83:44 | password.as_bytes() | provenance | MaD:4 |
+| test.rs:83:26:83:44 | password.as_bytes() | test.rs:83:9:83:24 | ...::digest | provenance | MaD:1 Sink:MaD:1 |
 models
 | 1 | Sink: repo:https://github.com/RustCrypto/traits:digest; <_ as crate::digest::Digest>::digest; hasher-input; Argument[0] |
 | 2 | Sink: repo:https://github.com/RustCrypto/traits:digest; <_ as crate::digest::Digest>::new_with_prefix; hasher-input; Argument[0] |
 | 3 | Sink: repo:https://github.com/stainless-steel/md5:md5; crate::compute; hasher-input; Argument[0] |
+| 4 | Summary: lang:core; <str>::as_bytes; Argument[self]; ReturnValue; taint |
+| 5 | Summary: lang:core; <str>::trim; Argument[self]; ReturnValue.Reference; taint |
 nodes
 | test.rs:14:9:14:24 | ...::digest | semmle.label | ...::digest |
 | test.rs:14:26:14:39 | credit_card_no | semmle.label | credit_card_no |
@@ -57,4 +65,10 @@ nodes
 | test.rs:64:26:64:37 | password_vec | semmle.label | password_vec |
 | test.rs:77:9:77:33 | ...::new_with_prefix | semmle.label | ...::new_with_prefix |
 | test.rs:77:35:77:42 | password | semmle.label | password |
+| test.rs:81:9:81:24 | ...::digest | semmle.label | ...::digest |
+| test.rs:81:26:81:33 | password | semmle.label | password |
+| test.rs:81:26:81:40 | password.trim() [&ref] | semmle.label | password.trim() [&ref] |
+| test.rs:83:9:83:24 | ...::digest | semmle.label | ...::digest |
+| test.rs:83:26:83:33 | password | semmle.label | password |
+| test.rs:83:26:83:44 | password.as_bytes() | semmle.label | password.as_bytes() |
 subpaths
--- a/rust/ql/test/query-tests/security/CWE-328/test.rs
+++ b/rust/ql/test/query-tests/security/CWE-328/test.rs
@@ -78,9 +78,9 @@ fn test_hash_code_patterns(

    // hash transformed data
    _ = md5::Md5::digest(harmless.trim());
-    _ = md5::Md5::digest(password.trim()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
+    _ = md5::Md5::digest(password.trim()); // $ Alert[rust/weak-sensitive-data-hashing]
    _ = md5::Md5::digest(harmless.as_bytes());
-    _ = md5::Md5::digest(password.as_bytes()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
+    _ = md5::Md5::digest(password.as_bytes()); // $ Alert[rust/weak-sensitive-data-hashing]
    _ = md5::Md5::digest(std::str::from_utf8(harmless_arr).unwrap());
    _ = md5::Md5::digest(std::str::from_utf8(password_arr).unwrap()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
 }