diff --git a/java/ql/lib/ext/io.jsonwebtoken.model.yml b/java/ql/lib/ext/io.jsonwebtoken.model.yml
index 2a89153c4c1..b7d75b7eaa8 100644
--- a/java/ql/lib/ext/io.jsonwebtoken.model.yml
+++ b/java/ql/lib/ext/io.jsonwebtoken.model.yml
@@ -1,15 +1,153 @@
 extensions:
-  - addsTo:
-      pack: codeql/java-all
-      extensible: summaryModel
-    data:
-      - ["io.jsonwebtoken", "JwsHeader", True, "getAlgorithm", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "ReturnValue", "taint", "manual"]
-      - ["io.jsonwebtoken", "JwsHeader", True, "setAlgorithm", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "taint", "manual"]
-      - ["io.jsonwebtoken", "JwsHeader", True, "getKeyId", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "ReturnValue", "taint", "manual"]
-      - ["io.jsonwebtoken", "JwsHeader", True, "setKeyId", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "taint", "manual"]
-  - addsTo:
-      pack: codeql/java-all
-      extensible: sourceModel
-    data:
-      - ["io.jsonwebtoken", "SigningKeyResolver", True, "resolveSigningKey", "", "", "Parameter[0]", "remote", "manual"]
-      - ["io.jsonwebtoken", "SigningKeyResolverAdapter", True, "resolveSigningKeyBytes", "", "", "Parameter[0]", "remote", "manual"]
+- addsTo:
+    pack: codeql/java-all
+    extensible: summaryModel
+  data:
+    - ["io.jsonwebtoken", "JwsHeader", True, "getAlgorithm", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "ReturnValue", "taint", "manual"]
+    - ["io.jsonwebtoken", "JwsHeader", True, "setAlgorithm", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "taint", "manual"]
+    - ["io.jsonwebtoken", "JwsHeader", True, "getKeyId", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "ReturnValue", "taint", "manual"]
+    - ["io.jsonwebtoken", "JwsHeader", True, "setKeyId", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "taint", "manual"]
+
+- addsTo: {extensible: sinkModel, pack: codeql/java-all}
+  data:
+  - [io.jsonwebtoken, ProtectedHeaderMutator, true, jwkSetUrl, (URI), '', 'Argument[this]', request-forgery, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJweHeaderMutator, true, jwkSetUrl, (URI), '', 'Argument[this]', request-forgery, ai-generated]
+  - [io.jsonwebtoken.impl.lang, Parameters, false, uri, '(String,String)', '', 'Argument[0]', request-forgery, ai-generated]
+  - [io.jsonwebtoken.impl.lang, Parameters, false, uri, '(String,String)', '', 'Argument[1]', request-forgery, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(String,String)', '', 'Argument[this]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, (InputStream), '', 'Argument[this]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(byte[])', '', 'Argument[this]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(InputStream,String)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(InputStream,String)', '', 'Argument[1]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(byte[],String)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, (InputStream), '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(byte[])', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.security, AesAlgorithm, true, withCipher, '(Cipher,InputStream,OutputStream)', '', 'Argument[1]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.io, Streams, false, copy, '(InputStream,OutputStream,byte[],String)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.io, Streams, false, write, '(OutputStream,byte[],int,int,String)', '', 'Argument[1]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.io, FilteredOutputStream, true, write, '(byte[])', '', 'Argument[this]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.io, AbstractSerializer, false, serialize, '(Object,OutputStream)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, deserialize, '(InputStream,String)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.io, NamedSerializer, true, doSerialize, '(Map,OutputStream)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.io, Streams, false, writeAndClose, '(OutputStream,byte[],String)', '', 'Argument[0]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.impl.security, GcmAesAeadAlgorithm, true, decrypt, '(DecryptAeadRequest,OutputStream)', '', 'Argument[1]', file-content-store, ai-generated]
+  - [io.jsonwebtoken.jackson.io, JacksonSerializer, true, doSerialize, '(Object,OutputStream)', '', 'Argument[1]', file-content-store, ai-generated]
+
+- addsTo: {extensible: sourceModel, pack: codeql/java-all}
+  data:
+  - [io.jsonwebtoken, JwtBuilder, true, signWith, '(Key,SignatureAlgorithm)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, signWith, '(SignatureAlgorithm,String)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, signWith, '(SignatureAlgorithm,byte[])', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(InputStream,String)', '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(byte[],String)', '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, (InputStream), '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(InputStream,String)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, '(byte[],String)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, content, (InputStream), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.io, Parser, true, parse, (InputStream), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.io, Parser, true, parse, (InputStream), '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken.io, Parser, true, parse, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedClaims, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedContent, '(CharSequence,InputStream)', '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedContent, '(CharSequence,byte[])', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedContent, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,InputStream)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,byte[])', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedContent, '(CharSequence,InputStream)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedClaims, '(CharSequence,InputStream)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedClaims, '(CharSequence,byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedClaims, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedContent, '(CharSequence,InputStream)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseSignedContent, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,InputStream)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,InputStream)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedClaims, '(CharSequence,byte[])', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedContent, '(CharSequence,InputStream)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedContent, '(CharSequence,byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseSignedContent, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, encryptWith, '(Key,KeyAlgorithm,AeadAlgorithm)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtVisitor, true, visit, (Jwe), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, SupportedJwtVisitor, true, visit, (Jws), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, encryptWith, '(Key,KeyAlgorithm,AeadAlgorithm)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, encryptWith, '(Key,KeyAlgorithm,AeadAlgorithm)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, encryptWith, '(SecretKey,AeadAlgorithm)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, SigningKeyResolverAdapter, true, resolveSigningKey, '(JwsHeader,Claims)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, LocatingKeyResolver, true, resolveSigningKey, '(JwsHeader,byte[])', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, SigningKeyResolver, true, resolveSigningKey, '(JwsHeader,byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, SigningKeyResolver, true, resolveSigningKey, '(JwsHeader,byte[])', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parse, '(CharSequence,JwtHandler)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parse, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parse, '(CharSequence,JwtHandler)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parse, '(CharSequence,JwtHandler)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parse, '(CharSequence,JwtHandler)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parse, (Reader), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.io, Deserializer, true, deserialize, (Reader), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.io, Deserializer, true, deserialize, (Reader), '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.compression, DeflateCompressionAlgorithm, true, doDecompress, '(byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, CountingInputStream, true, read, '(byte[],int,int)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, FilteredInputStream, true, read, '(byte[],int,int)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, Claims, true, get, '(String,Class)', '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, decode, '(CharSequence,String)', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtBuilder, true, claim, '(String,Object)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultClaims, true, get, '(String,Class)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, deserialize, '(InputStream,String)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, decode, '(CharSequence,String)', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, X509Mutator, true, x509Url, (URI), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtHandler, true, onClaimsJwe, (Jwe), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtHandler, true, onContentJwe, (Jwe), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtHandlerAdapter, true, onUnsecuredClaims, (Jwt), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseEncryptedClaims, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseEncryptedContent, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseUnsecuredClaims, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseClaimsJws, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseClaimsJws, (CharSequence), '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseContentJws, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseContentJws, (CharSequence), '', 'Parameter[this]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseClaimsJwt, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseContentJwt, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtParserBuilder, true, setSigningKeyResolver, (SigningKeyResolver), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, Locator, true, locate, (Header), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJweHeaderMutator, true, x509Url, (URI), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseClaimsJwt, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseContentJwt, (CharSequence), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParserBuilder, true, deserializeJsonWith, (Deserializer), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.io, ParserBuilder, true, json, (Deserializer), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, DelegateStringDecoder, true, decode, (InputStream), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, JsonObjectDeserializer, true, apply, (Reader), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, X509BuilderSupport, true, x509Url, (URI), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.io, CompressionAlgorithm, true, decompress, (InputStream), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.jackson.io, JacksonDeserializer, true, doDeserialize, (Reader), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, JwtHandler, true, onClaimsJws, (Jws), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseEncryptedClaims, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseEncryptedContent, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseUnsecuredClaims, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseUnsecuredContent, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParser, true, parseContentJws, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParserBuilder, true, json, (Deserializer), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, Base64Codec, true, decode, (String), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJweHeaderMutator, true, x509Url, (URI), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtBuilder, true, setHeader, (Map), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseUnsecuredClaims, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseClaimsJws, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwtParser, true, parseClaimsJwt, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, DelegateStringDecoder, true, decode, (InputStream), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.io, NamedSerializer, true, doSerialize, '(Map,OutputStream)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.lang, UriStringConverter, true, applyFrom, (CharSequence), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, DynamicJwkBuilder, true, rsaChain, (List), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, DynamicJwkBuilder, true, ecChain, (List), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, DynamicJwkBuilder, true, octetChain, (List), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, DynamicJwkBuilder, true, chain, (List), '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, JcaTemplate, true, generateX509Certificate, '(byte[])', '', 'Parameter[0]', remote, ai-generated]
+  - [io.jsonwebtoken.security, AeadAlgorithm, true, decrypt, '(DecryptAeadRequest,OutputStream)', '', 'Parameter[1]', remote, ai-generated]
+  - [io.jsonwebtoken, JwtParserBuilder, true, unsecuredDecompression, (), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken, ProtectedHeader, true, getJwkSetUrl, (), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl, DefaultJwt, true, getPayload, (), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.compression, AbstractCompressionAlgorithm, false, decompress, (InputStream), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.security, Message, true, getPayload, (), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.security, KeyRequest, true, getHeader, (), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, DefaultVerifyDigestRequest, true, DefaultVerifyDigestRequest, '(InputStream,Provider,SecureRandom,byte[])', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, DefaultVerifySecureDigestRequest, true, DefaultVerifySecureDigestRequest, '(InputStream,Provider,SecureRandom,Key,byte[])', '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, EdwardsCurve, false, findByKey, (Key), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.impl.security, LocatingKeyResolver, true, LocatingKeyResolver, (Locator), '', ReturnValue, remote, ai-generated]
+  - [io.jsonwebtoken.lang, Classes, false, getResourceAsStream, (String), '', ReturnValue, remote, ai-generated]