Merge pull request #21051 from hvitved/shared/flow-summary-provenance-filtering

Shared: Provenance-based filtering of flow summaries
2026-02-12 05:01:06 +01:00 · 2026-01-26 17:24:34 +01:00
parent 2bd4ccee45 df09f02981
commit b974a84bef
142 changed files with 15884 additions and 21193 deletions
--- a/cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -1145,40 +1145,22 @@ private predicate interpretSummary(

 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _, _) }
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  string model_;

-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
-      provenance.isGenerated()
-    )
-  }
+  SummarizedCallableAdapter() { interpretSummary(this, input_, output_, kind, p_, model_) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
-      or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    )
-  }
-
-  override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance, _)
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = true and
+    model = model_
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -20,6 +20,8 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {

  class SinkBase = Void;

+  predicate callableFromSource(SummarizedCallableBase c) { exists(c.getBlock()) }
+
  ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }

  ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -1144,7 +1144,7 @@ private newtype TDataFlowCall =
  }

 private predicate summarizedCallableIsManual(SummarizedCallable sc) {
-  sc.asSummarizedCallable().applyManualModel()
+  sc.asSummarizedCallable().hasManualModel()
 }

 /**
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -310,7 +310,7 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS
  }

  private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.hasManualModel()) or
    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
  }

--- a/cpp/ql/test/library-tests/dataflow/external-models/steps.expected
+++ b/cpp/ql/test/library-tests/dataflow/external-models/steps.expected
@@ -3,6 +3,4 @@
 | test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:28:35:28:35 | 0 | test.cpp:28:11:28:33 | call to ymlStepManual_with_body |
-| test.cpp:32:38:32:38 | 0 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
-| test.cpp:35:38:35:38 | x | test.cpp:35:11:35:36 | call to ymlStepGenerated_with_body |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
--- a/csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
@@ -18,6 +18,11 @@ deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack;

 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;

-class SummarizedCallable = Impl::Public::SummarizedCallable;
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  class Range = Impl::Public::SummarizedCallable;
+}
+
+class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;

 class Provenance = Impl::Public::Provenance;
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -380,10 +380,7 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
    // we are not able to dispatch to a source declaration.
    exists(boolean static |
      result = this.getATarget(static) and
-      not (
-        result.applyGeneratedModel() and
-        this.hasSourceTarget()
-      )
+      if this.hasSourceTarget() then result.hasManualModel() else any()
    |
      static = false
      or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -848,7 +848,7 @@ private predicate fieldOrPropertyStore(Expr e, ContentSet c, Expr src, Expr q, b
        FlowSummaryImpl::Private::SummarizedCallableImpl sc,
        FlowSummaryImpl::Private::SummaryComponentStack input, ContentSet readSet
      |
-        sc.propagatesFlow(input, _, _, _) and
+        sc.propagatesFlow(input, _, _, _, _, _) and
        input.contains(FlowSummaryImpl::Private::SummaryComponent::content(readSet)) and
        c.getAStoreContent() = readSet.getAReadContent()
      )
@@ -1021,7 +1021,6 @@ private class InstanceCallable extends Callable {
  private Location l;

  InstanceCallable() {
-    this = any(DataFlowCallable dfc).asCallable(l) and
    not this.(Modifiable).isStatic() and
    // local functions and delegate capture `this` and should therefore
    // not have a `this` parameter
@@ -1119,6 +1118,7 @@ private module Cached {
      p = c.asCallable(_).(CallableUsedInSource).getAParameter()
    } or
    TInstanceParameterNode(InstanceCallable c, Location l) {
+      c = any(DataFlowCallable dfc).asCallable(l) and
      c instanceof CallableUsedInSource and
      l = c.getARelevantLocation()
    } or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -380,20 +380,23 @@ private Declaration interpretExt(Declaration d, ExtPath ext) {
 /** Gets the source/sink/summary/neutral element corresponding to the supplied parameters. */
 pragma[nomagic]
 Declaration interpretElement(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  boolean isExact
 ) {
  elementSpec(namespace, type, subtypes, name, signature, ext) and
  exists(Declaration base, Declaration d |
    base = interpretBaseDeclaration(namespace, type, name, signature) and
    (
-      d = base
+      d = base and
+      isExact = true
      or
      subtypes = true and
      (
        d.(UnboundCallable).overridesOrImplementsUnbound(base)
        or
        d = base.(UnboundValueOrRefType).getASubTypeUnbound+()
-      )
+      ) and
+      isExact = false
    )
  |
    result = interpretExt(d, ext)
@@ -586,71 +589,47 @@ string getSignature(UnboundCallable c) {
 }

 private predicate interpretSummary(
-  UnboundCallable c, string input, string output, string kind, string provenance, string model
+  UnboundCallable c, string input, string output, string kind, string provenance, boolean isExact,
+  string model
 ) {
  exists(
    string namespace, string type, boolean subtypes, string name, string signature, string ext
  |
    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance,
      model) and
-    c = interpretElement(namespace, type, subtypes, name, signature, ext)
+    c = interpretElement(namespace, type, subtypes, name, signature, ext, isExact)
  )
 }

-predicate interpretNeutral(UnboundCallable c, string kind, string provenance) {
+predicate interpretNeutral(UnboundCallable c, string kind, string provenance, boolean isExact) {
  exists(string namespace, string type, string name, string signature |
    Extensions::neutralModel(namespace, type, name, signature, kind, provenance) and
-    c = interpretElement(namespace, type, true, name, signature, "")
+    c = interpretElement(namespace, type, true, name, signature, "", isExact)
  )
 }

 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  string model_;
+
  SummarizedCallableAdapter() {
-    exists(Provenance provenance | interpretSummary(this, _, _, _, provenance, _) |
-      not this.fromSource()
-      or
-      this.fromSource() and provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
-      provenance.isGenerated()
-    ) and
-    not exists(Provenance provenance |
-      interpretNeutral(this, "summary", provenance) and
-      provenance.isManual()
-    )
+    interpretSummary(this, input_, output_, kind, p_, isExact_, model_)
  }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
-      or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    )
-  }
-
-  override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance, _)
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = model_
  }
 }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -18,14 +18,24 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CsharpDataFlow>

  class SummarizedCallableBase = UnboundCallable;

+  predicate callableFromSource(SummarizedCallableBase c) {
+    c.fromSource() and
+    not c.getFile().isStub() and
+    not (
+      c.getFile().extractedQlTest() and
+      (
+        c.getBody() instanceof ThrowElement or
+        c.getBody().(BlockStmt).getStmt(0) instanceof ThrowElement
+      )
+    )
+  }
+
  class SourceBase = Void;

  class SinkBase = Void;

  predicate neutralElement(SummarizedCallableBase c, string kind, string provenance, boolean isExact) {
-    interpretNeutral(c, kind, provenance) and
-    // isExact is not needed for C#.
-    isExact = false
+    interpretNeutral(c, kind, provenance, isExact)
  }

  ArgumentPosition callbackSelfParameterPosition() { result.isDelegateSelf() }
@@ -216,7 +226,7 @@ module SourceSinkInterpretationInput implements
      string namespace, string type, boolean subtypes, string name, string signature, string ext
    |
      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
    )
  }

@@ -227,7 +237,7 @@ module SourceSinkInterpretationInput implements
      string namespace, string type, boolean subtypes, string name, string signature, string ext
    |
      sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
    )
  }

@@ -238,7 +248,7 @@ module SourceSinkInterpretationInput implements
      string namespace, string type, boolean subtypes, string name, string signature, string ext
    |
      barrierModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
    )
  }

@@ -251,7 +261,7 @@ module SourceSinkInterpretationInput implements
    |
      barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingvalue,
        kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
    )
  }

@@ -448,13 +458,14 @@ private class SummarizedCallableWithCallback extends Public::SummarizedCallable
  SummarizedCallableWithCallback() { mayInvokeCallback(this, pos) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Public::Provenance provenance,
+    boolean isExact, string model
  ) {
    input = "Argument[" + pos + "]" and
    output = "Argument[" + pos + "].Parameter[delegate-self]" and
    preservesValue = true and
+    provenance = "hq-generated" and
+    isExact = true and
    model = "heuristic-callback"
  }
-
-  override predicate hasProvenance(Public::Provenance provenance) { provenance = "hq-generated" }
 }
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll
@@ -92,22 +92,17 @@ module EntityFramework {
  abstract class EFSummarizedCallable extends SummarizedCallableImpl {
    bindingset[this]
    EFSummarizedCallable() { any() }
-
-    override predicate hasProvenance(Provenance provenance) { provenance = "manual" }
  }

  // see `SummarizedCallableImpl` qldoc
  private class EFSummarizedCallableAdapter extends SummarizedCallable instanceof EFSummarizedCallable
  {
    override predicate propagatesFlow(
-      string input, string output, boolean preservesValue, string model
+      string input, string output, boolean preservesValue, Provenance provenance, boolean isExact,
+      string model
    ) {
      none()
    }
-
-    override predicate hasProvenance(Provenance provenance) {
-      EFSummarizedCallable.super.hasProvenance(provenance)
-    }
  }

  /** The class ``Microsoft.EntityFrameworkCore.DbQuery`1`` or ``System.Data.Entity.DbQuery`1``. */
@@ -177,11 +172,13 @@ module EntityFramework {

    override predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-      string model
+      Provenance p, boolean isExact, string model
    ) {
      input = SummaryComponentStack::argument(0) and
      output = SummaryComponentStack::return() and
      preservesValue = false and
+      p = "manual" and
+      isExact = true and
      model = "RawSqlStringConstructorSummarizedCallable"
    }
  }
@@ -193,11 +190,13 @@ module EntityFramework {

    override predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-      string model
+      Provenance p, boolean isExact, string model
    ) {
      input = SummaryComponentStack::argument(0) and
      output = SummaryComponentStack::return() and
      preservesValue = false and
+      p = "manual" and
+      isExact = true and
      model = "RawSqlStringConversionSummarizedCallable"
    }
  }
@@ -459,18 +458,20 @@ module EntityFramework {
  }

  private class DbContextClassSetPropertySynthetic extends EFSummarizedCallable {
-    private DbContextClassSetProperty p;
+    private DbContextClassSetProperty prop;

-    DbContextClassSetPropertySynthetic() { this = p.getGetter() }
+    DbContextClassSetPropertySynthetic() { this = prop.getGetter() }

    override predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-      string model
+      Provenance p, boolean isExact, string model
    ) {
      exists(string name, DbContextClass c |
        preservesValue = true and
-        name = c.getSyntheticName(output, _, p) and
+        name = c.getSyntheticName(output, _, prop) and
        input = SummaryComponentStack::syntheticGlobal(name) and
+        p = "manual" and
+        isExact = true and
        model = "DbContextClassSetPropertySynthetic"
      )
    }
@@ -483,13 +484,15 @@ module EntityFramework {

    override predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-      string model
+      Provenance p, boolean isExact, string model
    ) {
      exists(string name, Property mapped |
        preservesValue = true and
        c.input(input, mapped) and
        name = c.getSyntheticNameProj(mapped) and
        output = SummaryComponentStack::syntheticGlobal(name) and
+        p = "manual" and
+        isExact = true and
        model = "DbContextSaveChanges"
      )
    }
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -230,7 +230,7 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
  }

  private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.hasManualModel()) or
    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
  }

--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
@@ -215,9 +215,9 @@ namespace My.Qltest
            Sink(Library.GeneratedFlowWithManualNeutral(o2)); // no flow because the modelled method has a manual neutral summary model
        }

-        object GeneratedFlow(object o) => throw null;
+        object GeneratedFlow(object o) => null;

-        object GeneratedFlowArgs(object o1, object o2) => throw null;
+        object GeneratedFlowArgs(object o1, object o2) => null;

        static void Sink(object o) { }
    }
--- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -29,7 +29,6 @@ edges
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | MaD:3 |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | MaD:4 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | heuristic-callback |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:55:27:58:17 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -40,7 +39,6 @@ edges
 | Capture.cs:81:13:81:13 | [post] access to local function M : M [captured sink31] : String | Capture.cs:83:9:83:19 | [post] access to local function CaptureOut2 : CaptureOut2 [captured sink31] : String | provenance |  |
 | Capture.cs:83:9:83:19 | [post] access to local function CaptureOut2 : CaptureOut2 [captured sink31] : String | Capture.cs:84:15:84:20 | access to local variable sink31 | provenance |  |
 | Capture.cs:89:22:89:35 | "taint source" : String | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | provenance |  |
-| Capture.cs:89:22:89:35 | "taint source" : String | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | provenance | heuristic-callback |
 | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | Capture.cs:93:15:93:20 | access to local variable sink32 | provenance |  |
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
@@ -62,10 +60,8 @@ edges
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | MaD:3 |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | MaD:4 |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | heuristic-callback |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | MaD:3 |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | MaD:4 |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | heuristic-callback |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:160:20:160:26 | access to parameter tainted : String | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
@@ -94,10 +90,8 @@ edges
 | Capture.cs:228:17:228:30 | "taint source" : String | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:228:17:228:30 | "taint source" : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance | MaD:1 |
-| Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance | heuristic-callback |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance | heuristic-callback |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
--- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
@@ -39,7 +39,6 @@ edges
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | MaD:5 |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | MaD:6 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance | heuristic-callback |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:55:27:58:17 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -50,7 +49,6 @@ edges
 | Capture.cs:81:13:81:13 | [post] access to local function M : M [captured sink31] : String | Capture.cs:83:9:83:19 | [post] access to local function CaptureOut2 : CaptureOut2 [captured sink31] : String | provenance |  |
 | Capture.cs:83:9:83:19 | [post] access to local function CaptureOut2 : CaptureOut2 [captured sink31] : String | Capture.cs:84:15:84:20 | access to local variable sink31 | provenance |  |
 | Capture.cs:89:22:89:35 | "taint source" : String | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | provenance |  |
-| Capture.cs:89:22:89:35 | "taint source" : String | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | provenance | heuristic-callback |
 | Capture.cs:92:30:92:40 | [post] access to local variable captureOut3 : (...) => ... [captured sink32] : String | Capture.cs:93:15:93:20 | access to local variable sink32 | provenance |  |
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
@@ -72,10 +70,8 @@ edges
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | MaD:5 |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | MaD:6 |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:152:22:152:28 | access to parameter tainted : String | provenance | heuristic-callback |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | MaD:5 |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | MaD:6 |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance | heuristic-callback |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:160:20:160:26 | access to parameter tainted : String | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
@@ -104,10 +100,8 @@ edges
 | Capture.cs:228:17:228:30 | "taint source" : String | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:228:17:228:30 | "taint source" : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance | MaD:1 |
-| Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance | heuristic-callback |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance | heuristic-callback |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql
@@ -19,12 +19,12 @@ class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
   * that propagates the same flow between `input` and `output`.
   */
  override predicate relevantSummary(
-    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue, Provenance p
  ) {
-    this.propagatesFlow(input, output, preservesValue, _) and
+    this.propagatesFlow(input, output, preservesValue, p, _, _) and
    not exists(IncludeSummarizedCallable rsc |
      isBaseCallableOrPrototype(rsc) and
-      rsc.propagatesFlow(input, output, preservesValue, _) and
+      rsc.propagatesFlow(input, output, preservesValue, _, _, _) and
      this.(UnboundCallable).overridesOrImplementsUnbound(rsc)
    )
  }
--- a/csharp/ql/test/shared/FlowSummaries.qll
+++ b/csharp/ql/test/shared/FlowSummaries.qll
@@ -13,8 +13,8 @@ class IncludeSummarizedCallable extends SummarizedCallableImplFinal {
  final string getCallableCsv() { result = getSignature(this) }

  predicate relevantSummary(
-    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue, Provenance p
  ) {
-    this.propagatesFlow(input, output, preservesValue, _)
+    this.propagatesFlow(input, output, preservesValue, p, _, _)
  }
 }
--- a/go/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/go/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
+++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
@@ -503,44 +503,23 @@ predicate barrierNode(DataFlow::Node node, string kind) { barrierNode(node, kind

 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends Public::SummarizedCallable {
-  SummarizedCallableAdapter() { summaryElement(this, _, _, _, _, _) }
+  string input_;
+  string output_;
+  string kind;
+  Public::Provenance p_;
+  string model_;

-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
-    exists(Public::Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
-    exists(Public::Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model) and
-      provenance.isGenerated()
-    ) and
-    not exists(Public::Provenance provenance |
-      neutralElement(this, "summary", provenance) and
-      provenance.isManual()
-    )
-  }
+  SummarizedCallableAdapter() { summaryElement(this, input_, output_, kind, p_, model_) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Public::Provenance p, boolean isExact,
+    string model
  ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
-      or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    )
-  }
-
-  override predicate hasProvenance(Public::Provenance provenance) {
-    summaryElement(this, _, _, _, provenance, _)
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = true and
+    model = model_
  }
 }
--- a/go/ql/lib/semmle/go/dataflow/FlowSummary.qll
+++ b/go/ql/lib/semmle/go/dataflow/FlowSummary.qll
@@ -18,6 +18,11 @@ deprecated class SummaryComponentStack = Impl::Private::SummaryComponentStack;

 deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack;

-class SummarizedCallable = Impl::Public::SummarizedCallable;
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  class Range = Impl::Public::SummarizedCallable;
+}
+
+class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;

 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
--- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
@@ -29,6 +29,8 @@ module Input implements InputSig<Location, DataFlowImplSpecific::GoDataFlow> {

  class SinkBase = Void;

+  predicate callableFromSource(SummarizedCallableBase c) { exists(c.getFuncDef()) }
+
  predicate neutralElement(
    Input::SummarizedCallableBase c, string kind, string provenance, boolean isExact
  ) {
@@ -36,8 +38,7 @@ module Input implements InputSig<Location, DataFlowImplSpecific::GoDataFlow> {
      neutralModel(namespace, type, name, signature, kind, provenance) and
      c.asFunction() = interpretElement(namespace, type, false, name, signature, "").asEntity()
    ) and
-    // isExact is not needed for Go.
-    isExact = false
+    isExact = true
  }

  ArgumentPosition callbackSelfParameterPosition() { result = -1 }
--- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -157,7 +157,7 @@ module NetHttp {
      |
        this = call.getASyntacticArgument() and
        callable = call.getACalleeIncludingExternals() and
-        callable.propagatesFlow(input, output, _, _)
+        callable.propagatesFlow(input, output, _, _, _, _)
      |
        // A modeled function conveying taint from some input to the response writer,
        // e.g. `io.Copy(responseWriter, someTaintedReader)`
--- a/java/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/java/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/java/ql/lib/ext/java.util.model.yml
+++ b/java/ql/lib/ext/java.util.model.yml
@@ -398,6 +398,7 @@ extensions:
      - ["java.util", "StringJoiner", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.util", "StringTokenizer", False, "StringTokenizer", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.util", "StringTokenizer", False, "nextElement", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.util", "StringTokenizer", False, "nextElement", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["java.util", "StringTokenizer", False, "nextToken", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.util", "TreeMap", False, "TreeMap", "(Map)", "", "Argument[0].MapKey", "Argument[this].MapKey", "value", "manual"]
      - ["java.util", "TreeMap", False, "TreeMap", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
--- a/java/ql/lib/ext/org.apache.commons.collections4.map.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.collections4.map.model.yml
@@ -70,10 +70,10 @@ extensions:
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "keyList", "", "", "Argument[this].MapKey", "ReturnValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "listOrderedMap", "", "", "Argument[0].MapKey", "ReturnValue.MapKey", "value", "manual"]
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "listOrderedMap", "", "", "Argument[0].MapValue", "ReturnValue.MapValue", "value", "manual"]
-      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "put", "", "", "Argument[1]", "Argument[this].MapKey", "value", "manual"]
-      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "put", "", "", "Argument[2]", "Argument[this].MapValue", "value", "manual"]
-      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "putAll", "", "", "Argument[1].MapKey", "Argument[this].MapKey", "value", "manual"]
-      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "putAll", "", "", "Argument[1].MapValue", "Argument[this].MapValue", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "put", "(int,Object,Object)", "", "Argument[1]", "Argument[this].MapKey", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "put", "(int,Object,Object)", "", "Argument[2]", "Argument[this].MapValue", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "putAll", "(int,Map)", "", "Argument[1].MapKey", "Argument[this].MapKey", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "putAll", "(int,Map)", "", "Argument[1].MapValue", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "remove", "(int)", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "setValue", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "ListOrderedMap", True, "valueList", "", "", "Argument[this].MapValue", "ReturnValue.Element", "value", "manual"]
@@ -87,6 +87,8 @@ extensions:
      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "put", "(Object,Object,Object,Object,Object)", "", "Argument[4]", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "put", "(Object,Object,Object,Object,Object,Object)", "", "Argument[0..4]", "Argument[this].MapKey.Element", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "put", "(Object,Object,Object,Object,Object,Object)", "", "Argument[5]", "Argument[this].MapValue", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "put", "(MultiKey,Object)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "put", "(MultiKey,Object)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiKeyMap", True, "removeMultiKey", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "getCollection", "", "", "Argument[this].MapValue.Element", "ReturnValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "iterator", "()", "", "Argument[this].MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
@@ -98,6 +100,8 @@ extensions:
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "putAll", "(Map)", "", "Argument[0].MapValue.Element", "Argument[this].MapValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "putAll", "(Object,Collection)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "putAll", "(Object,Collection)", "", "Argument[1].Element", "Argument[this].MapValue.Element", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "putAll", "(Map)", "", "Argument[0].MapKey", "Argument[this].MapKey", "value", "manual"]
+      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "putAll", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4.map", "MultiValueMap", True, "values", "", "", "Argument[this].MapValue.Element", "ReturnValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4.map", "PassiveExpiringMap", True, "PassiveExpiringMap", "(PassiveExpiringMap$ExpirationPolicy,Map)", "", "Argument[1].MapKey", "Argument[this].MapKey", "value", "manual"]
      - ["org.apache.commons.collections4.map", "PassiveExpiringMap", True, "PassiveExpiringMap", "(PassiveExpiringMap$ExpirationPolicy,Map)", "", "Argument[1].MapValue", "Argument[this].MapValue", "value", "manual"]
--- a/java/ql/lib/ext/org.apache.commons.collections4.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.collections4.model.yml
@@ -287,7 +287,7 @@ extensions:
      - ["org.apache.commons.collections4", "MapUtils", True, "unmodifiableMap", "", "", "Argument[0].MapValue", "ReturnValue.MapValue", "value", "manual"]
      - ["org.apache.commons.collections4", "MapUtils", True, "unmodifiableSortedMap", "", "", "Argument[0].MapKey", "ReturnValue.MapKey", "value", "manual"]
      - ["org.apache.commons.collections4", "MapUtils", True, "unmodifiableSortedMap", "", "", "Argument[0].MapValue", "ReturnValue.MapValue", "value", "manual"]
-      - ["org.apache.commons.collections4", "MultiMap", True, "get", "", "", "Argument[this].MapValue.Element", "ReturnValue.Element", "value", "manual"]
+      - ["org.apache.commons.collections4", "MultiMap", True, "get", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4", "MultiMap", True, "put", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
      - ["org.apache.commons.collections4", "MultiMap", True, "put", "", "", "Argument[1]", "Argument[this].MapValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4", "MultiMap", True, "values", "", "", "Argument[this].MapValue.Element", "ReturnValue.Element", "value", "manual"]
@@ -331,9 +331,9 @@ extensions:
      - ["org.apache.commons.collections4", "OrderedMap", True, "lastKey", "", "", "Argument[this].MapKey", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4", "OrderedMap", True, "nextKey", "", "", "Argument[this].MapKey", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4", "OrderedMap", True, "previousKey", "", "", "Argument[this].MapKey", "ReturnValue", "value", "manual"]
-      - ["org.apache.commons.collections4", "Put", True, "put", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
-      - ["org.apache.commons.collections4", "Put", True, "put", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
-      - ["org.apache.commons.collections4", "Put", True, "put", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
+      - ["org.apache.commons.collections4", "Put", True, "put", "(Object,Object)", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
+      - ["org.apache.commons.collections4", "Put", True, "put", "(Object,Object)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
+      - ["org.apache.commons.collections4", "Put", True, "put", "(Object,Object)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4", "Put", True, "putAll", "(Map)", "", "Argument[0].MapKey", "Argument[this].MapKey", "value", "manual"]
      - ["org.apache.commons.collections4", "Put", True, "putAll", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
      - ["org.apache.commons.collections4", "QueueUtils", True, "predicatedQueue", "", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
--- a/java/ql/lib/ext/org.apache.commons.collections4.set.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.collections4.set.model.yml
@@ -20,7 +20,9 @@ extensions:
      - ["org.apache.commons.collections4.set", "CompositeSet$SetMutator", True, "addAll", "", "", "Argument[2].Element", "Argument[0].Element", "value", "manual"]
      - ["org.apache.commons.collections4.set", "CompositeSet$SetMutator", True, "addAll", "", "", "Argument[2].Element", "Argument[1].Element.Element", "value", "manual"]
      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "add", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
+      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "add", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "addAll", "", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
+      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "addAll", "(Collection)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["org.apache.commons.collections4.set", "ListOrderedSet", True, "listOrderedSet", "(List)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
--- a/java/ql/lib/ext/org.springframework.web.util.model.yml
+++ b/java/ql/lib/ext/org.springframework.web.util.model.yml
@@ -30,7 +30,7 @@ extensions:
      - ["org.springframework.web.util", "DefaultUriBuilderFactory", False, "builder", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "DefaultUriBuilderFactory", False, "getDefaultUriVariables", "", "", "Argument[this]", "ReturnValue.MapValue", "taint", "manual"]
      - ["org.springframework.web.util", "DefaultUriBuilderFactory", False, "setDefaultUriVariables", "", "", "Argument[0].MapValue", "Argument[this]", "taint", "manual"]
-      - ["org.springframework.web.util", "DefaultUriBuilderFactory", False, "uriString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.util", "DefaultUriBuilderFactory", False, "uriString", "", "", "Argument[this,0]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "HtmlUtils", False, "htmlEscape", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "HtmlUtils", False, "htmlEscapeDecimal", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "HtmlUtils", False, "htmlEscapeHex", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
@@ -83,8 +83,7 @@ extensions:
      - ["org.springframework.web.util", "UriBuilder", True, "userInfo", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
      - ["org.springframework.web.util", "UriBuilder", True, "userInfo", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["org.springframework.web.util", "UriBuilderFactory", True, "builder", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UriBuilderFactory", True, "uriString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UriBuilderFactory", True, "uriString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.util", "UriBuilderFactory", True, "uriString", "", "", "Argument[this,0]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponents", False, "UriComponents", "", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponents", False, "copyToUriComponentsBuilder", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponents", False, "encode", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -107,6 +106,9 @@ extensions:
      - ["org.springframework.web.util", "UriComponents", False, "toUriString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponents$UriTemplateVariables", True, "getValue", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
      - ["org.springframework.web.util", "UriComponentsBuilder", False, "build", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.util", "UriComponentsBuilder", False, "build", "(Map)", "", "Argument[0].MapValue", "Argument[this]", "taint", "manual"]
+      - ["org.springframework.web.util", "UriComponentsBuilder", False, "build", "(Map)", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.util", "UriComponentsBuilder", False, "build", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponentsBuilder", False, "buildAndExpand", "(Map)", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponentsBuilder", False, "buildAndExpand", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
      - ["org.springframework.web.util", "UriComponentsBuilder", False, "cloneBuilder", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
--- a/java/ql/lib/semmle/code/java/ConflictingAccess.qll
+++ b/java/ql/lib/semmle/code/java/ConflictingAccess.qll
@@ -23,7 +23,7 @@ module Modification {
  /** Holds if the call `c` modifies a shared resource. */
  predicate isModifyingCall(Call c) {
    exists(SummarizedCallable sc, string output | sc.getACall() = c |
-      sc.propagatesFlow(_, output, _, _) and
+      sc.propagatesFlow(_, output, _, _, _, _) and
      output.matches("Argument[this]%")
    )
  }
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -620,48 +620,25 @@ predicate barrierNode(Node node, string kind) { barrierNode(node, kind, _) }

 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { summaryElement(this, _, _, _, _, _, _) }
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  string model_;

-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model, _) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model, _) and
-      provenance.isGenerated()
-    ) and
-    not exists(Provenance provenance |
-      neutralElement(this, "summary", provenance, _) and
-      provenance.isManual()
-    )
-  }
+  SummarizedCallableAdapter() { summaryElement(this, input_, output_, kind, p_, model_, isExact_) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
-      or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = model_
  }
-
-  override predicate hasProvenance(Provenance provenance) {
-    summaryElement(this, _, _, _, provenance, _, _)
-  }
-
-  override predicate hasExactModel() { summaryElement(this, _, _, _, _, _, true) }
 }

 final class SinkCallable = SinkModelCallable;
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll
@@ -121,24 +121,31 @@ class SummarizedCallableBase extends TSummarizedCallableBase {

 class Provenance = Impl::Public::Provenance;

-class SummarizedCallable = Impl::Public::SummarizedCallable;
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  class Range = Impl::Public::SummarizedCallable;
+}
+
+class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;

 /**
 * An adapter class to add the flow summaries specified on `SyntheticCallable`
 * to `SummarizedCallable`.
 */
-private class SummarizedSyntheticCallableAdapter extends SummarizedCallable, TSyntheticCallable {
+private class SummarizedSyntheticCallableAdapter extends SummarizedCallable::Range,
+  TSyntheticCallable
+{
  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
    exists(SyntheticCallable sc |
      sc = this.asSyntheticCallable() and
      sc.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
      model = sc
    )
  }
-
-  override predicate hasExactModel() { any() }
 }

 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -12,7 +12,11 @@ private import semmle.code.java.dispatch.internal.Unification

 private module DispatchImpl {
  private predicate hasHighConfidenceTarget(Call c) {
-    exists(Impl::Public::SummarizedCallable sc | sc.getACall() = c and not sc.applyGeneratedModel())
+    exists(Impl::Public::SummarizedCallable sc, Impl::Public::Provenance p |
+      sc.getACall() = c and
+      sc.propagatesFlow(_, _, _, p, _, _) and
+      not p.isGenerated()
+    )
    or
    exists(Impl::Public::NeutralSummaryCallable nc | nc.getACall() = c and nc.hasManualModel())
    or
@@ -25,8 +29,10 @@ private module DispatchImpl {
  private predicate hasExactManualModel(Call c, Callable tgt) {
    tgt = c.getCallee().getSourceDeclaration() and
    (
-      exists(Impl::Public::SummarizedCallable sc |
-        sc.getACall() = c and sc.hasExactModel() and sc.hasManualModel()
+      exists(Impl::Public::SummarizedCallable sc, Impl::Public::Provenance p |
+        sc.getACall() = c and
+        sc.propagatesFlow(_, _, _, p, true, _) and
+        p.isManual()
      )
      or
      exists(Impl::Public::NeutralSummaryCallable nc |
@@ -57,16 +63,6 @@ private module DispatchImpl {
    exists(Call call | call = c.asCall() |
      result.asCallable() = sourceDispatch(call)
      or
-      not (
-        // Only use summarized callables with generated summaries in case
-        // the static call target is not in the source code.
-        // Note that if `applyGeneratedModel` holds it implies that there doesn't
-        // exist a manual model.
-        exists(Callable staticTarget | staticTarget = call.getCallee().getSourceDeclaration() |
-          staticTarget.fromSource() and not staticTarget.isStub()
-        ) and
-        result.asSummarizedCallable().applyGeneratedModel()
-      ) and
      result.asSummarizedCallable().getACall() = call
    )
  }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -33,6 +33,10 @@ module Input implements InputSig<Location, DataFlowImplSpecific::JavaDataFlow> {

  class SummarizedCallableBase = FlowSummary::SummarizedCallableBase;

+  predicate callableFromSource(SummarizedCallableBase sc) {
+    sc.asCallable() = any(Callable c | c.fromSource() and not c.isStub())
+  }
+
  class SourceBase = Void;

  class SinkBase = Void;
--- a/java/ql/lib/semmle/code/java/dispatch/WrappedInvocation.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/WrappedInvocation.qll
@@ -68,19 +68,19 @@ private predicate mayInvokeCallback(SrcMethod m, int n) {
  (not m.fromSource() or m.isNative() or m.getFile().getAbsolutePath().matches("%/test/stubs/%"))
 }

-private class SummarizedCallableWithCallback extends SummarizedCallable {
+private class SummarizedCallableWithCallback extends SummarizedCallable::Range {
  private int pos;

  SummarizedCallableWithCallback() { mayInvokeCallback(this.asCallable(), pos) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
    input = "Argument[" + pos + "]" and
    output = "Argument[" + pos + "].Parameter[-1]" and
    preservesValue = true and
+    p = "hq-generated" and
+    isExact = true and
    model = "heuristic-callback"
  }
-
-  override predicate hasProvenance(Provenance provenance) { provenance = "hq-generated" }
 }
--- a/java/ql/src/Metrics/Summaries/GeneratedVsManualCoverageQuery.qll
+++ b/java/ql/src/Metrics/Summaries/GeneratedVsManualCoverageQuery.qll
@@ -10,19 +10,19 @@ bindingset[package, apiSubset]
 private int getNumMadModeledApis(string package, string provenance, string apiSubset) {
  provenance in ["generated", "manual", "both"] and
  result =
-    count(SummarizedCallable sc |
+    count(SummarizedCallable::Range sc |
      callableSubset(sc.asCallable(), apiSubset) and
      package = sc.asCallable().getCompilationUnit().getPackage().getName() and
      sc.asCallable() instanceof ModelApi and
      (
        // "auto-only"
        not sc.hasManualModel() and
-        sc.hasGeneratedModel() and
+        any(Provenance p | sc.propagatesFlow(_, _, _, p, _, _)).isGenerated() and
        provenance = "generated"
        or
        sc.hasManualModel() and
        (
-          if sc.hasGeneratedModel()
+          if any(Provenance p | sc.propagatesFlow(_, _, _, p, _, _)).isGenerated()
          then
            // "both"
            provenance = "both"
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -187,7 +187,7 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
  }

  private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()).asCallable() or
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.hasManualModel()).asCallable() or
    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel()).asCallable()
  }

--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
@@ -18,19 +18,13 @@ edges
 | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | provenance | MaD:3 |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | provenance | Config |
@@ -40,7 +34,6 @@ models
 | 2 | Summary: java.lang; String; false; format; (String,Object[]); ; Argument[1].ArrayElement; ReturnValue; taint; manual |
 | 3 | Summary: java.net; URI; false; create; ; ; Argument[0]; ReturnValue; taint; manual |
 | 4 | Summary: org.springframework.http; HttpHeaders; true; add; (String,String); ; Argument[0..1]; Argument[this]; taint; manual |
-| 5 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[1]; Argument[this].MapValue.Element; value; manual |
 nodes
 | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | semmle.label | redirectUrl |
@@ -71,17 +64,14 @@ nodes
 | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | semmle.label | redirectUrl : String |
--- a/java/ql/test/library-tests/dataflow/capture/inlinetest.expected
+++ b/java/ql/test/library-tests/dataflow/capture/inlinetest.expected
@@ -98,9 +98,7 @@ edges
 | B.java:107:5:107:6 | l2 : ArrayList [<element>, <element>] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | provenance | MaD:1 |
 | B.java:107:16:107:16 | l : List [<element>] : String | B.java:107:21:107:21 | l : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | provenance | MaD:1 |
-| B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | provenance | heuristic-callback |
 | B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer<List<String>>(...) { ... } [String s] : String | provenance | MaD:1 |
-| B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer<List<String>>(...) { ... } [String s] : String | provenance | heuristic-callback |
 | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | B.java:107:16:111:6 | List<String> out1 : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | B.java:107:16:111:6 | List<String> out2 : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | List<String> out1 : List [<element>] : String | B.java:112:10:112:13 | out1 : List [<element>] : String | provenance |  |
@@ -111,9 +109,7 @@ edges
 | B.java:107:21:107:21 | l : List [<element>] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out1, <element>] : String | provenance | MaD:1 |
 | B.java:107:31:107:31 | x : String | B.java:109:16:109:16 | x : String | provenance |  |
 | B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | provenance | MaD:1 |
-| B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | provenance | heuristic-callback |
 | B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer<String>(...) { ... } [String s] : String | provenance | MaD:1 |
-| B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer<String>(...) { ... } [String s] : String | provenance | heuristic-callback |
 | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out1, <element>] : String | B.java:107:31:111:5 | List<String> out1 : List [<element>] : String | provenance |  |
 | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | B.java:107:31:111:5 | List<String> out2 : List [<element>] : String | provenance |  |
 | B.java:107:31:111:5 | List<String> out1 : List [<element>] : String | B.java:107:31:111:5 | this : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | provenance |  |
--- a/java/ql/test/library-tests/dataflow/collections/containerflow.expected
+++ b/java/ql/test/library-tests/dataflow/collections/containerflow.expected
@@ -877,13 +877,11 @@ edges
 | B.java:404:44:404:51 | source(...) : Object | B.java:28:57:28:61 | obj : Object | provenance |  |
 | B.java:404:44:404:51 | source(...) : Object | B.java:404:18:404:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | provenance | MaD:54 |
 | B.java:404:61:404:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:404:61:404:73 | getFirst(...) : Object | provenance | MaD:113 |
-| B.java:404:61:404:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:404:61:404:73 | getFirst(...) : Object | provenance | MaD:274 |
 | B.java:404:61:404:73 | getFirst(...) : Object | B.java:404:81:404:83 | out | provenance |  |
 | B.java:409:18:409:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | B.java:409:61:409:62 | in : LinkedBlockingDeque [<element>] : Object | provenance |  |
 | B.java:409:44:409:51 | source(...) : Object | B.java:28:57:28:61 | obj : Object | provenance |  |
 | B.java:409:44:409:51 | source(...) : Object | B.java:409:18:409:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | provenance | MaD:54 |
 | B.java:409:61:409:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:409:61:409:72 | getLast(...) : Object | provenance | MaD:114 |
-| B.java:409:61:409:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:409:61:409:72 | getLast(...) : Object | provenance | MaD:275 |
 | B.java:409:61:409:72 | getLast(...) : Object | B.java:409:80:409:82 | out | provenance |  |
 | B.java:414:18:414:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | B.java:414:61:414:62 | in : LinkedBlockingDeque [<element>] : Object | provenance |  |
 | B.java:414:44:414:51 | source(...) : Object | B.java:28:57:28:61 | obj : Object | provenance |  |
@@ -914,13 +912,11 @@ edges
 | B.java:439:44:439:51 | source(...) : Object | B.java:28:57:28:61 | obj : Object | provenance |  |
 | B.java:439:44:439:51 | source(...) : Object | B.java:439:18:439:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | provenance | MaD:54 |
 | B.java:439:61:439:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:439:61:439:76 | removeFirst(...) : Object | provenance | MaD:123 |
-| B.java:439:61:439:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:439:61:439:76 | removeFirst(...) : Object | provenance | MaD:276 |
 | B.java:439:61:439:76 | removeFirst(...) : Object | B.java:439:84:439:86 | out | provenance |  |
 | B.java:444:18:444:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | B.java:444:61:444:62 | in : LinkedBlockingDeque [<element>] : Object | provenance |  |
 | B.java:444:44:444:51 | source(...) : Object | B.java:28:57:28:61 | obj : Object | provenance |  |
 | B.java:444:44:444:51 | source(...) : Object | B.java:444:18:444:52 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | provenance | MaD:54 |
 | B.java:444:61:444:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:444:61:444:75 | removeLast(...) : Object | provenance | MaD:124 |
-| B.java:444:61:444:62 | in : LinkedBlockingDeque [<element>] : Object | B.java:444:61:444:75 | removeLast(...) : Object | provenance | MaD:277 |
 | B.java:444:61:444:75 | removeLast(...) : Object | B.java:444:83:444:85 | out | provenance |  |
 | B.java:449:19:449:26 | source(...) : Object | B.java:449:38:449:39 | in : Object | provenance |  |
 | B.java:449:29:449:31 | out [post update] : Deque [<element>] : Object | B.java:449:60:449:62 | out : Deque [<element>] : Object | provenance |  |
@@ -940,13 +936,11 @@ edges
 | B.java:464:19:464:26 | source(...) : Object | B.java:464:41:464:42 | in : Object | provenance |  |
 | B.java:464:29:464:31 | out [post update] : Deque [<element>] : Object | B.java:464:63:464:65 | out : Deque [<element>] : Object | provenance |  |
 | B.java:464:41:464:42 | in : Object | B.java:464:29:464:31 | out [post update] : Deque [<element>] : Object | provenance | MaD:111 |
-| B.java:464:41:464:42 | in : Object | B.java:464:29:464:31 | out [post update] : Deque [<element>] : Object | provenance | MaD:273 |
 | B.java:464:63:464:65 | out : Deque [<element>] : Object | B.java:31:28:31:42 | obj : Deque [<element>] : Object | provenance |  |
 | B.java:464:63:464:65 | out : Deque [<element>] : Object | B.java:464:51:464:66 | readElement(...) | provenance | MaD:3 |
 | B.java:469:19:469:26 | source(...) : Object | B.java:469:42:469:43 | in : Object | provenance |  |
 | B.java:469:29:469:31 | out [post update] : Deque [<element>] : Object | B.java:469:64:469:66 | out : Deque [<element>] : Object | provenance |  |
 | B.java:469:42:469:43 | in : Object | B.java:469:29:469:31 | out [post update] : Deque [<element>] : Object | provenance | MaD:110 |
-| B.java:469:42:469:43 | in : Object | B.java:469:29:469:31 | out [post update] : Deque [<element>] : Object | provenance | MaD:272 |
 | B.java:469:64:469:66 | out : Deque [<element>] : Object | B.java:31:28:31:42 | obj : Deque [<element>] : Object | provenance |  |
 | B.java:469:64:469:66 | out : Deque [<element>] : Object | B.java:469:52:469:67 | readElement(...) | provenance | MaD:3 |
 | B.java:474:26:474:60 | storeElementBlockingDeque(...) : LinkedBlockingDeque [<element>] : Object | B.java:474:69:474:70 | in : LinkedBlockingDeque [<element>] : Object | provenance |  |
@@ -1095,7 +1089,6 @@ edges
 | B.java:599:31:599:38 | source(...) : Object | B.java:599:19:599:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | provenance | MaD:214 |
 | B.java:599:48:599:78 | firstEntry(...) : Entry [<map.key>] : Object | B.java:599:97:599:99 | out : Entry [<map.key>] : Object | provenance |  |
 | B.java:599:49:599:64 | (...)... : TreeMap [<map.key>] : Object | B.java:599:48:599:78 | firstEntry(...) : Entry [<map.key>] : Object | provenance | MaD:233 |
-| B.java:599:49:599:64 | (...)... : TreeMap [<map.key>] : Object | B.java:599:48:599:78 | firstEntry(...) : Entry [<map.key>] : Object | provenance | MaD:279 |
 | B.java:599:97:599:99 | out : Entry [<map.key>] : Object | B.java:43:29:43:46 | obj : Entry [<map.key>] : Object | provenance |  |
 | B.java:599:97:599:99 | out : Entry [<map.key>] : Object | B.java:599:86:599:100 | readMapKey(...) | provenance | MaD:174 |
 | B.java:604:19:604:41 | storeMapValue(...) : Map [<map.value>] : Object | B.java:604:51:604:66 | (...)... : NavigableMap [<map.value>] : Object | provenance |  |
@@ -1103,7 +1096,6 @@ edges
 | B.java:604:33:604:40 | source(...) : Object | B.java:604:19:604:41 | storeMapValue(...) : Map [<map.value>] : Object | provenance | MaD:215 |
 | B.java:604:50:604:80 | firstEntry(...) : Entry [<map.value>] : Object | B.java:604:101:604:103 | out : Entry [<map.value>] : Object | provenance |  |
 | B.java:604:51:604:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:604:50:604:80 | firstEntry(...) : Entry [<map.value>] : Object | provenance | MaD:234 |
-| B.java:604:51:604:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:604:50:604:80 | firstEntry(...) : Entry [<map.value>] : Object | provenance | MaD:280 |
 | B.java:604:101:604:103 | out : Entry [<map.value>] : Object | B.java:47:31:47:48 | obj : Entry [<map.value>] : Object | provenance |  |
 | B.java:604:101:604:103 | out : Entry [<map.value>] : Object | B.java:604:88:604:104 | readMapValue(...) | provenance | MaD:175 |
 | B.java:609:19:609:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | B.java:609:49:609:64 | (...)... : TreeMap [<map.key>] : Object | provenance |  |
@@ -1153,7 +1145,6 @@ edges
 | B.java:639:31:639:38 | source(...) : Object | B.java:639:19:639:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | provenance | MaD:214 |
 | B.java:639:48:639:77 | lastEntry(...) : Entry [<map.key>] : Object | B.java:639:96:639:98 | out : Entry [<map.key>] : Object | provenance |  |
 | B.java:639:49:639:64 | (...)... : TreeMap [<map.key>] : Object | B.java:639:48:639:77 | lastEntry(...) : Entry [<map.key>] : Object | provenance | MaD:241 |
-| B.java:639:49:639:64 | (...)... : TreeMap [<map.key>] : Object | B.java:639:48:639:77 | lastEntry(...) : Entry [<map.key>] : Object | provenance | MaD:281 |
 | B.java:639:96:639:98 | out : Entry [<map.key>] : Object | B.java:43:29:43:46 | obj : Entry [<map.key>] : Object | provenance |  |
 | B.java:639:96:639:98 | out : Entry [<map.key>] : Object | B.java:639:85:639:99 | readMapKey(...) | provenance | MaD:174 |
 | B.java:644:19:644:41 | storeMapValue(...) : Map [<map.value>] : Object | B.java:644:51:644:66 | (...)... : NavigableMap [<map.value>] : Object | provenance |  |
@@ -1161,7 +1152,6 @@ edges
 | B.java:644:33:644:40 | source(...) : Object | B.java:644:19:644:41 | storeMapValue(...) : Map [<map.value>] : Object | provenance | MaD:215 |
 | B.java:644:50:644:79 | lastEntry(...) : Entry [<map.value>] : Object | B.java:644:100:644:102 | out : Entry [<map.value>] : Object | provenance |  |
 | B.java:644:51:644:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:644:50:644:79 | lastEntry(...) : Entry [<map.value>] : Object | provenance | MaD:242 |
-| B.java:644:51:644:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:644:50:644:79 | lastEntry(...) : Entry [<map.value>] : Object | provenance | MaD:282 |
 | B.java:644:100:644:102 | out : Entry [<map.value>] : Object | B.java:47:31:47:48 | obj : Entry [<map.value>] : Object | provenance |  |
 | B.java:644:100:644:102 | out : Entry [<map.value>] : Object | B.java:644:87:644:103 | readMapValue(...) | provenance | MaD:175 |
 | B.java:649:19:649:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | B.java:649:49:649:64 | (...)... : TreeMap [<map.key>] : Object | provenance |  |
@@ -1183,7 +1173,6 @@ edges
 | B.java:659:31:659:38 | source(...) : Object | B.java:659:19:659:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | provenance | MaD:214 |
 | B.java:659:48:659:82 | pollFirstEntry(...) : Entry [<map.key>] : Object | B.java:659:101:659:103 | out : Entry [<map.key>] : Object | provenance |  |
 | B.java:659:49:659:64 | (...)... : TreeMap [<map.key>] : Object | B.java:659:48:659:82 | pollFirstEntry(...) : Entry [<map.key>] : Object | provenance | MaD:245 |
-| B.java:659:49:659:64 | (...)... : TreeMap [<map.key>] : Object | B.java:659:48:659:82 | pollFirstEntry(...) : Entry [<map.key>] : Object | provenance | MaD:283 |
 | B.java:659:101:659:103 | out : Entry [<map.key>] : Object | B.java:43:29:43:46 | obj : Entry [<map.key>] : Object | provenance |  |
 | B.java:659:101:659:103 | out : Entry [<map.key>] : Object | B.java:659:90:659:104 | readMapKey(...) | provenance | MaD:174 |
 | B.java:664:19:664:41 | storeMapValue(...) : Map [<map.value>] : Object | B.java:664:51:664:66 | (...)... : NavigableMap [<map.value>] : Object | provenance |  |
@@ -1191,7 +1180,6 @@ edges
 | B.java:664:33:664:40 | source(...) : Object | B.java:664:19:664:41 | storeMapValue(...) : Map [<map.value>] : Object | provenance | MaD:215 |
 | B.java:664:50:664:84 | pollFirstEntry(...) : Entry [<map.value>] : Object | B.java:664:105:664:107 | out : Entry [<map.value>] : Object | provenance |  |
 | B.java:664:51:664:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:664:50:664:84 | pollFirstEntry(...) : Entry [<map.value>] : Object | provenance | MaD:246 |
-| B.java:664:51:664:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:664:50:664:84 | pollFirstEntry(...) : Entry [<map.value>] : Object | provenance | MaD:284 |
 | B.java:664:105:664:107 | out : Entry [<map.value>] : Object | B.java:47:31:47:48 | obj : Entry [<map.value>] : Object | provenance |  |
 | B.java:664:105:664:107 | out : Entry [<map.value>] : Object | B.java:664:92:664:108 | readMapValue(...) | provenance | MaD:175 |
 | B.java:669:19:669:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | B.java:669:49:669:64 | (...)... : TreeMap [<map.key>] : Object | provenance |  |
@@ -1199,7 +1187,6 @@ edges
 | B.java:669:31:669:38 | source(...) : Object | B.java:669:19:669:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | provenance | MaD:214 |
 | B.java:669:48:669:81 | pollLastEntry(...) : Entry [<map.key>] : Object | B.java:669:100:669:102 | out : Entry [<map.key>] : Object | provenance |  |
 | B.java:669:49:669:64 | (...)... : TreeMap [<map.key>] : Object | B.java:669:48:669:81 | pollLastEntry(...) : Entry [<map.key>] : Object | provenance | MaD:247 |
-| B.java:669:49:669:64 | (...)... : TreeMap [<map.key>] : Object | B.java:669:48:669:81 | pollLastEntry(...) : Entry [<map.key>] : Object | provenance | MaD:285 |
 | B.java:669:100:669:102 | out : Entry [<map.key>] : Object | B.java:43:29:43:46 | obj : Entry [<map.key>] : Object | provenance |  |
 | B.java:669:100:669:102 | out : Entry [<map.key>] : Object | B.java:669:89:669:103 | readMapKey(...) | provenance | MaD:174 |
 | B.java:674:19:674:41 | storeMapValue(...) : Map [<map.value>] : Object | B.java:674:51:674:66 | (...)... : NavigableMap [<map.value>] : Object | provenance |  |
@@ -1207,7 +1194,6 @@ edges
 | B.java:674:33:674:40 | source(...) : Object | B.java:674:19:674:41 | storeMapValue(...) : Map [<map.value>] : Object | provenance | MaD:215 |
 | B.java:674:50:674:83 | pollLastEntry(...) : Entry [<map.value>] : Object | B.java:674:104:674:106 | out : Entry [<map.value>] : Object | provenance |  |
 | B.java:674:51:674:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:674:50:674:83 | pollLastEntry(...) : Entry [<map.value>] : Object | provenance | MaD:248 |
-| B.java:674:51:674:66 | (...)... : NavigableMap [<map.value>] : Object | B.java:674:50:674:83 | pollLastEntry(...) : Entry [<map.value>] : Object | provenance | MaD:286 |
 | B.java:674:104:674:106 | out : Entry [<map.value>] : Object | B.java:47:31:47:48 | obj : Entry [<map.value>] : Object | provenance |  |
 | B.java:674:104:674:106 | out : Entry [<map.value>] : Object | B.java:674:91:674:107 | readMapValue(...) | provenance | MaD:175 |
 | B.java:679:19:679:39 | storeMapKey(...) : TreeMap [<map.key>] : Object | B.java:679:49:679:64 | (...)... : TreeMap [<map.key>] : Object | provenance |  |
@@ -2746,7 +2732,6 @@ edges
 | B.java:2015:25:2015:52 | storeElementNavSet(...) : TreeSet [<element>] : Object | B.java:2015:61:2015:62 | in : TreeSet [<element>] : Object | provenance |  |
 | B.java:2015:44:2015:51 | source(...) : Object | B.java:26:49:26:53 | obj : Object | provenance |  |
 | B.java:2015:44:2015:51 | source(...) : Object | B.java:2015:25:2015:52 | storeElementNavSet(...) : TreeSet [<element>] : Object | provenance | MaD:54 |
-| B.java:2015:61:2015:62 | in : TreeSet [<element>] : Object | B.java:2015:61:2015:73 | reversed(...) : SequencedSet [<element>] : Object | provenance | MaD:278 |
 | B.java:2015:61:2015:62 | in : TreeSet [<element>] : Object | B.java:2015:61:2015:73 | reversed(...) : SequencedSet [<element>] : Object | provenance | MaD:299 |
 | B.java:2015:61:2015:73 | reversed(...) : SequencedSet [<element>] : Object | B.java:2015:93:2015:95 | out : SequencedSet [<element>] : Object | provenance |  |
 | B.java:2015:93:2015:95 | out : SequencedSet [<element>] : Object | B.java:31:28:31:42 | obj : SequencedSet [<element>] : Object | provenance |  |
--- a/java/ql/test/library-tests/frameworks/apache-collections/Test.java
+++ b/java/ql/test/library-tests/frameworks/apache-collections/Test.java
@@ -3427,7 +3427,8 @@ public class Test {
 			MultiMap out = null;
 			Object in = source();
 			out.put(null, in);
-			sink(getMapValue(out)); // $ hasValueFlow
+			Collection coll = (Collection) getMapValue(out);
+			sink(coll.toArray()[0]); // $ hasValueFlow
 		}
 		{
 			// "org.apache.commons.collections4;Put;true;put;;;Argument[1];MapValue of Argument[this];value;manual"
@@ -3457,13 +3458,6 @@ public class Test {
 			out = in.put(null, null);
 			sink(out); // $ hasValueFlow
 		}
-		{
-			// "org.apache.commons.collections4;Put;true;put;;;MapValue of Argument[this];ReturnValue;value;manual"
-			Object out = null;
-			MultiMap in = newMVMWithMapValue((String)source());
-			out = in.put(null, null);
-			sink(out); // $ hasValueFlow
-		}
 		{
 			// "org.apache.commons.collections4;Put;true;put;;;MapValue of Argument[this];ReturnValue;value;manual"
 			Object out = null;
@@ -5902,7 +5896,7 @@ public class Test {
 			ListOrderedMap out = null;
 			Object in = source();
 			out.put(null, in);
-			sink(getMapKey(out)); // $ hasValueFlow
+			sink(getMapValue(out)); // $ hasValueFlow
 		}
 		{
 			// "org.apache.commons.collections4.map;ListOrderedMap;true;put;;;Argument[1];MapKey of Argument[this];value;manual"
--- a/java/ql/test/library-tests/frameworks/apache-collections/test.expected
+++ b/java/ql/test/library-tests/frameworks/apache-collections/test.expected
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected
--- a/java/ql/test/library-tests/frameworks/json-java/test.expected
+++ b/java/ql/test/library-tests/frameworks/json-java/test.expected
@@ -444,7 +444,6 @@ edges
 | Test.java:343:10:343:24 | getString(...) : String | Test.java:344:9:344:11 | out | provenance |  |
 | Test.java:349:19:349:37 | (...)... : JSONArray | Test.java:350:10:350:11 | in : JSONArray | provenance |  |
 | Test.java:349:30:349:37 | source(...) : Object | Test.java:349:19:349:37 | (...)... : JSONArray | provenance |  |
-| Test.java:350:10:350:11 | in : JSONArray | Test.java:350:10:350:22 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:1 |
 | Test.java:350:10:350:11 | in : JSONArray | Test.java:350:10:350:22 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:42 |
 | Test.java:350:10:350:22 | iterator(...) : Iterator [<element>] : Object | Test.java:351:20:351:22 | out : Iterator [<element>] : Object | provenance |  |
 | Test.java:351:20:351:22 | out : Iterator [<element>] : Object | Test.java:40:20:40:30 | it : Iterator [<element>] : Object | provenance |  |
--- a/java/ql/test/library-tests/frameworks/netty/generated/test.expected
+++ b/java/ql/test/library-tests/frameworks/netty/generated/test.expected
--- a/java/ql/test/library-tests/frameworks/spring/beans/test.expected
+++ b/java/ql/test/library-tests/frameworks/spring/beans/test.expected
@@ -46,15 +46,10 @@ edges
 | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : Object | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : Object | provenance |  |
 | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : PropertyValue | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.key>] : Object | provenance | MaD:23 |
-| Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.key>] : Object | provenance | MaD:34 |
 | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.key>] : String | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.key>] : String | provenance | MaD:23 |
-| Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.key>] : String | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.key>] : String | provenance | MaD:34 |
 | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.value>] : Object | provenance | MaD:23 |
-| Test.java:21:10:21:18 | container : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue [<map.value>] : Object | provenance | MaD:34 |
 | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue | provenance | MaD:23 |
-| Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : Object | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue | provenance | MaD:34 |
 | Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : PropertyValue | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue | provenance | MaD:23 |
-| Test.java:21:10:21:18 | container : MutablePropertyValues [<element>] : PropertyValue | Test.java:21:10:21:39 | getPropertyValue(...) : PropertyValue | provenance | MaD:34 |
 | Test.java:24:26:24:48 | container : PropertyValue [<map.key>] : Object | Test.java:25:10:25:18 | container : PropertyValue [<map.key>] : Object | provenance |  |
 | Test.java:24:26:24:48 | container : PropertyValue [<map.key>] : String | Test.java:25:10:25:18 | container : PropertyValue [<map.key>] : String | provenance |  |
 | Test.java:25:10:25:18 | container : PropertyValue [<map.key>] : Object | Test.java:25:10:25:28 | getName(...) : String | provenance | MaD:32 |
@@ -73,7 +68,6 @@ edges
 | Test.java:56:36:56:37 | in : List [<element>] : Object | Test.java:56:10:56:38 | new MutablePropertyValues(...) : MutablePropertyValues [<element>] : Object | provenance | MaD:6 |
 | Test.java:57:27:57:29 | out : MutablePropertyValues [<element>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : Object | provenance |  |
 | Test.java:57:27:57:29 | out : MutablePropertyValues [<element>] : Object | Test.java:57:9:57:30 | getElementDefault(...) | provenance | MaD:23 |
-| Test.java:57:27:57:29 | out : MutablePropertyValues [<element>] : Object | Test.java:57:9:57:30 | getElementDefault(...) | provenance | MaD:34 |
 | Test.java:62:13:62:34 | of(...) : Map [<map.key>] : Object | Test.java:63:36:63:37 | in : Map [<map.key>] : Object | provenance |  |
 | Test.java:62:20:62:27 | source(...) : Object | Test.java:62:13:62:34 | of(...) : Map [<map.key>] : Object | provenance | MaD:4 |
 | Test.java:63:10:63:38 | new MutablePropertyValues(...) : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:64:44:64:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | provenance |  |
@@ -82,7 +76,6 @@ edges
 | Test.java:64:26:64:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | Test.java:64:9:64:48 | getMapKeyDefault(...) | provenance | MaD:32 |
 | Test.java:64:44:64:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.key>] : Object | provenance |  |
 | Test.java:64:44:64:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:64:26:64:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | provenance | MaD:23 |
-| Test.java:64:44:64:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:64:26:64:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | provenance | MaD:34 |
 | Test.java:69:13:69:34 | of(...) : Map [<map.value>] : Object | Test.java:70:36:70:37 | in : Map [<map.value>] : Object | provenance |  |
 | Test.java:69:26:69:33 | source(...) : Object | Test.java:69:13:69:34 | of(...) : Map [<map.value>] : Object | provenance | MaD:5 |
 | Test.java:70:10:70:38 | new MutablePropertyValues(...) : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:71:46:71:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
@@ -91,7 +84,6 @@ edges
 | Test.java:71:28:71:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | Test.java:71:9:71:50 | getMapValueDefault(...) | provenance | MaD:33 |
 | Test.java:71:46:71:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
 | Test.java:71:46:71:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:71:28:71:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:23 |
-| Test.java:71:46:71:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:71:28:71:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:34 |
 | Test.java:76:24:76:84 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | Test.java:77:36:77:37 | in : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:76:60:76:83 | (...)... : PropertyValue | Test.java:32:60:32:80 | element : PropertyValue | provenance |  |
 | Test.java:76:60:76:83 | (...)... : PropertyValue | Test.java:76:24:76:84 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:3 |
@@ -100,7 +92,6 @@ edges
 | Test.java:77:36:77:37 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:77:10:77:38 | new MutablePropertyValues(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:9 |
 | Test.java:78:27:78:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:78:27:78:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:78:9:78:30 | getElementDefault(...) | provenance | MaD:23 |
-| Test.java:78:27:78:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:78:9:78:30 | getElementDefault(...) | provenance | MaD:34 |
 | Test.java:83:31:83:62 | (...)... : MutablePropertyValues | Test.java:84:10:84:11 | in : MutablePropertyValues | provenance |  |
 | Test.java:83:55:83:62 | source(...) : Object | Test.java:83:31:83:62 | (...)... : MutablePropertyValues | provenance |  |
 | Test.java:84:10:84:11 | in : MutablePropertyValues | Test.java:84:10:84:27 | add(...) : MutablePropertyValues | provenance | MaD:12 |
@@ -113,7 +104,6 @@ edges
 | Test.java:92:26:92:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | Test.java:92:9:92:48 | getMapKeyDefault(...) | provenance | MaD:32 |
 | Test.java:92:44:92:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.key>] : String | provenance |  |
 | Test.java:92:44:92:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:92:26:92:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | provenance | MaD:23 |
-| Test.java:92:44:92:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:92:26:92:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | provenance | MaD:34 |
 | Test.java:97:16:97:32 | (...)... : Object | Test.java:98:18:98:19 | in : Object | provenance |  |
 | Test.java:97:25:97:32 | source(...) : Object | Test.java:97:16:97:32 | (...)... : Object | provenance |  |
 | Test.java:98:4:98:6 | out [post update] : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:99:46:99:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
@@ -122,7 +112,6 @@ edges
 | Test.java:99:28:99:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | Test.java:99:9:99:50 | getMapValueDefault(...) | provenance | MaD:33 |
 | Test.java:99:46:99:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
 | Test.java:99:46:99:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:99:28:99:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:23 |
-| Test.java:99:46:99:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:99:28:99:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:34 |
 | Test.java:104:31:104:62 | (...)... : MutablePropertyValues | Test.java:105:10:105:11 | in : MutablePropertyValues | provenance |  |
 | Test.java:104:55:104:62 | source(...) : Object | Test.java:104:31:104:62 | (...)... : MutablePropertyValues | provenance |  |
 | Test.java:105:10:105:11 | in : MutablePropertyValues | Test.java:105:10:105:34 | addPropertyValue(...) : MutablePropertyValues | provenance | MaD:14 |
@@ -133,7 +122,6 @@ edges
 | Test.java:112:25:112:26 | in : PropertyValue | Test.java:112:4:112:6 | out [post update] : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:13 |
 | Test.java:113:27:113:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:113:27:113:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:113:9:113:30 | getElementDefault(...) | provenance | MaD:23 |
-| Test.java:113:27:113:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:113:9:113:30 | getElementDefault(...) | provenance | MaD:34 |
 | Test.java:118:16:118:32 | (...)... : String | Test.java:119:25:119:26 | in : String | provenance |  |
 | Test.java:118:25:118:32 | source(...) : Object | Test.java:118:16:118:32 | (...)... : String | provenance |  |
 | Test.java:119:4:119:6 | out [post update] : MutablePropertyValues [<element>, <map.key>] : String | Test.java:120:44:120:46 | out : MutablePropertyValues [<element>, <map.key>] : String | provenance |  |
@@ -142,7 +130,6 @@ edges
 | Test.java:120:26:120:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | Test.java:120:9:120:48 | getMapKeyDefault(...) | provenance | MaD:32 |
 | Test.java:120:44:120:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.key>] : String | provenance |  |
 | Test.java:120:44:120:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:120:26:120:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | provenance | MaD:23 |
-| Test.java:120:44:120:46 | out : MutablePropertyValues [<element>, <map.key>] : String | Test.java:120:26:120:47 | getElementDefault(...) : PropertyValue [<map.key>] : String | provenance | MaD:34 |
 | Test.java:125:16:125:32 | (...)... : Object | Test.java:126:31:126:32 | in : Object | provenance |  |
 | Test.java:125:25:125:32 | source(...) : Object | Test.java:125:16:125:32 | (...)... : Object | provenance |  |
 | Test.java:126:4:126:6 | out [post update] : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:127:46:127:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
@@ -151,7 +138,6 @@ edges
 | Test.java:127:28:127:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | Test.java:127:9:127:50 | getMapValueDefault(...) | provenance | MaD:33 |
 | Test.java:127:46:127:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
 | Test.java:127:46:127:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:127:28:127:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:23 |
-| Test.java:127:46:127:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:127:28:127:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:34 |
 | Test.java:132:31:132:62 | (...)... : MutablePropertyValues | Test.java:133:10:133:11 | in : MutablePropertyValues | provenance |  |
 | Test.java:132:55:132:62 | source(...) : Object | Test.java:132:31:132:62 | (...)... : MutablePropertyValues | provenance |  |
 | Test.java:133:10:133:11 | in : MutablePropertyValues | Test.java:133:10:133:41 | addPropertyValues(...) : MutablePropertyValues | provenance | MaD:19 |
@@ -164,7 +150,6 @@ edges
 | Test.java:141:26:141:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | Test.java:141:9:141:48 | getMapKeyDefault(...) | provenance | MaD:32 |
 | Test.java:141:44:141:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.key>] : Object | provenance |  |
 | Test.java:141:44:141:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:141:26:141:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | provenance | MaD:23 |
-| Test.java:141:44:141:46 | out : MutablePropertyValues [<element>, <map.key>] : Object | Test.java:141:26:141:47 | getElementDefault(...) : PropertyValue [<map.key>] : Object | provenance | MaD:34 |
 | Test.java:146:13:146:34 | of(...) : Map [<map.value>] : Object | Test.java:147:26:147:27 | in : Map [<map.value>] : Object | provenance |  |
 | Test.java:146:26:146:33 | source(...) : Object | Test.java:146:13:146:34 | of(...) : Map [<map.value>] : Object | provenance | MaD:5 |
 | Test.java:147:4:147:6 | out [post update] : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:148:46:148:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
@@ -173,7 +158,6 @@ edges
 | Test.java:148:28:148:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | Test.java:148:9:148:50 | getMapValueDefault(...) | provenance | MaD:33 |
 | Test.java:148:46:148:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
 | Test.java:148:46:148:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:148:28:148:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:23 |
-| Test.java:148:46:148:48 | out : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:148:28:148:49 | getElementDefault(...) : PropertyValue [<map.value>] : Object | provenance | MaD:34 |
 | Test.java:153:31:153:62 | (...)... : MutablePropertyValues | Test.java:154:10:154:11 | in : MutablePropertyValues | provenance |  |
 | Test.java:153:55:153:62 | source(...) : Object | Test.java:153:31:153:62 | (...)... : MutablePropertyValues | provenance |  |
 | Test.java:154:10:154:11 | in : MutablePropertyValues | Test.java:154:10:154:52 | addPropertyValues(...) : MutablePropertyValues | provenance | MaD:21 |
@@ -186,7 +170,6 @@ edges
 | Test.java:161:26:161:27 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:161:4:161:6 | out [post update] : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:20 |
 | Test.java:162:27:162:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:162:27:162:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:162:9:162:30 | getElementDefault(...) | provenance | MaD:23 |
-| Test.java:162:27:162:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:162:9:162:30 | getElementDefault(...) | provenance | MaD:34 |
 | Test.java:167:31:167:76 | newMutablePropertyValuesWithMapValue(...) : MutablePropertyValues [<element>, <map.value>] : Object | Test.java:168:10:168:11 | in : MutablePropertyValues [<element>, <map.value>] : Object | provenance |  |
 | Test.java:167:68:167:75 | source(...) : Object | Test.java:40:61:40:74 | element : Object | provenance |  |
 | Test.java:167:68:167:75 | source(...) : Object | Test.java:167:31:167:76 | newMutablePropertyValuesWithMapValue(...) : MutablePropertyValues [<element>, <map.value>] : Object | provenance | MaD:5 |
@@ -197,7 +180,6 @@ edges
 | Test.java:175:42:175:65 | (...)... : PropertyValue | Test.java:175:6:175:66 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:3 |
 | Test.java:175:58:175:65 | source(...) : Object | Test.java:175:42:175:65 | (...)... : PropertyValue | provenance |  |
 | Test.java:176:10:176:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:176:10:176:34 | getPropertyValue(...) : PropertyValue | provenance | MaD:23 |
-| Test.java:176:10:176:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:176:10:176:34 | getPropertyValue(...) : PropertyValue | provenance | MaD:34 |
 | Test.java:176:10:176:34 | getPropertyValue(...) : PropertyValue | Test.java:177:9:177:11 | out | provenance |  |
 | Test.java:183:6:183:66 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | Test.java:184:10:184:11 | in : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:183:42:183:65 | (...)... : PropertyValue | Test.java:32:60:32:80 | element : PropertyValue | provenance |  |
@@ -212,7 +194,6 @@ edges
 | Test.java:191:42:191:65 | (...)... : PropertyValue | Test.java:191:6:191:66 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:3 |
 | Test.java:191:58:191:65 | source(...) : Object | Test.java:191:42:191:65 | (...)... : PropertyValue | provenance |  |
 | Test.java:192:10:192:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:192:10:192:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | provenance | MaD:25 |
-| Test.java:192:10:192:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:192:10:192:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | provenance | MaD:35 |
 | Test.java:192:10:192:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | Test.java:193:25:193:27 | out : PropertyValue[] [[]] : PropertyValue | provenance |  |
 | Test.java:193:25:193:27 | out : PropertyValue[] [[]] : PropertyValue | Test.java:12:24:12:32 | array : PropertyValue[] [[]] : PropertyValue | provenance |  |
 | Test.java:193:25:193:27 | out : PropertyValue[] [[]] : PropertyValue | Test.java:193:9:193:28 | getArrayElement(...) | provenance |  |
@@ -222,7 +203,6 @@ edges
 | Test.java:199:27:199:28 | in : PropertyValue | Test.java:199:4:199:6 | out [post update] : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:26 |
 | Test.java:200:27:200:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:20:34:20:64 | container : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:200:27:200:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:200:9:200:30 | getElementDefault(...) | provenance | MaD:23 |
-| Test.java:200:27:200:29 | out : MutablePropertyValues [<element>] : PropertyValue | Test.java:200:9:200:30 | getElementDefault(...) | provenance | MaD:34 |
 | Test.java:205:23:205:46 | (...)... : PropertyValue | Test.java:206:28:206:29 | in : PropertyValue | provenance |  |
 | Test.java:205:39:205:46 | source(...) : Object | Test.java:205:23:205:46 | (...)... : PropertyValue | provenance |  |
 | Test.java:206:10:206:30 | new PropertyValue(...) : PropertyValue | Test.java:207:9:207:11 | out | provenance |  |
@@ -267,7 +247,6 @@ edges
 | Test.java:255:42:255:65 | (...)... : PropertyValue | Test.java:255:6:255:66 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:3 |
 | Test.java:255:58:255:65 | source(...) : Object | Test.java:255:42:255:65 | (...)... : PropertyValue | provenance |  |
 | Test.java:256:10:256:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:256:10:256:34 | getPropertyValue(...) : PropertyValue | provenance | MaD:23 |
-| Test.java:256:10:256:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:256:10:256:34 | getPropertyValue(...) : PropertyValue | provenance | MaD:34 |
 | Test.java:256:10:256:34 | getPropertyValue(...) : PropertyValue | Test.java:257:9:257:11 | out | provenance |  |
 | Test.java:262:24:262:84 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | Test.java:263:10:263:11 | in : MutablePropertyValues [<element>] : PropertyValue | provenance |  |
 | Test.java:262:60:262:83 | (...)... : PropertyValue | Test.java:32:60:32:80 | element : PropertyValue | provenance |  |
@@ -280,7 +259,6 @@ edges
 | Test.java:270:42:270:65 | (...)... : PropertyValue | Test.java:270:6:270:66 | newMutablePropertyValuesWithElement(...) : MutablePropertyValues [<element>] : PropertyValue | provenance | MaD:3 |
 | Test.java:270:58:270:65 | source(...) : Object | Test.java:270:42:270:65 | (...)... : PropertyValue | provenance |  |
 | Test.java:271:10:271:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:271:10:271:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | provenance | MaD:25 |
-| Test.java:271:10:271:11 | in : MutablePropertyValues [<element>] : PropertyValue | Test.java:271:10:271:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | provenance | MaD:35 |
 | Test.java:271:10:271:31 | getPropertyValues(...) : PropertyValue[] [[]] : PropertyValue | Test.java:272:25:272:27 | out : PropertyValue[] [[]] : PropertyValue | provenance |  |
 | Test.java:272:25:272:27 | out : PropertyValue[] [[]] : PropertyValue | Test.java:12:24:12:32 | array : PropertyValue[] [[]] : PropertyValue | provenance |  |
 | Test.java:272:25:272:27 | out : PropertyValue[] [[]] : PropertyValue | Test.java:272:9:272:28 | getArrayElement(...) | provenance |  |
--- a/java/ql/test/library-tests/frameworks/spring/http/flow.expected
+++ b/java/ql/test/library-tests/frameworks/spring/http/flow.expected
@@ -1,96 +1,92 @@
 models
 | 1 | Summary: java.util; List; false; of; (Object[]); ; Argument[0].ArrayElement; ReturnValue.Element; value; manual |
 | 2 | Summary: java.util; List; true; get; (int); ; Argument[this].Element; ReturnValue; value; manual |
-| 3 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual |
-| 4 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual |
-| 5 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
-| 6 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
-| 7 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object); ; Argument[0]; Argument[this]; taint; manual |
-| 8 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object,MultiValueMap); ; Argument[0]; Argument[this]; taint; manual |
-| 9 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object,MultiValueMap); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
-| 10 | Summary: org.springframework.http; HttpEntity; true; getBody; ; ; Argument[this]; ReturnValue; taint; manual |
-| 11 | Summary: org.springframework.http; HttpEntity; true; getHeaders; ; ; Argument[this]; ReturnValue; taint; manual |
-| 12 | Summary: org.springframework.http; HttpHeaders; true; HttpHeaders; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
-| 13 | Summary: org.springframework.http; HttpHeaders; true; HttpHeaders; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
-| 14 | Summary: org.springframework.http; HttpHeaders; true; add; (String,String); ; Argument[0..1]; Argument[this]; taint; manual |
-| 15 | Summary: org.springframework.http; HttpHeaders; true; addAll; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
-| 16 | Summary: org.springframework.http; HttpHeaders; true; addAll; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
-| 17 | Summary: org.springframework.http; HttpHeaders; true; addAll; (String,List); ; Argument[0]; Argument[this]; taint; manual |
-| 18 | Summary: org.springframework.http; HttpHeaders; true; addAll; (String,List); ; Argument[1].Element; Argument[this]; taint; manual |
-| 19 | Summary: org.springframework.http; HttpHeaders; true; encodeBasicAuth; (String,String,Charset); ; Argument[0..1]; ReturnValue; taint; manual |
-| 20 | Summary: org.springframework.http; HttpHeaders; true; formatHeaders; (MultiValueMap); ; Argument[0].MapKey; ReturnValue; taint; manual |
-| 21 | Summary: org.springframework.http; HttpHeaders; true; formatHeaders; (MultiValueMap); ; Argument[0].MapValue.Element; ReturnValue; taint; manual |
-| 22 | Summary: org.springframework.http; HttpHeaders; true; get; (Object); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 23 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlAllowHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 24 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlAllowOrigin; (); ; Argument[this]; ReturnValue; taint; manual |
-| 25 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlExposeHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 26 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlRequestHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 27 | Summary: org.springframework.http; HttpHeaders; true; getCacheControl; (); ; Argument[this]; ReturnValue; taint; manual |
-| 28 | Summary: org.springframework.http; HttpHeaders; true; getConnection; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 29 | Summary: org.springframework.http; HttpHeaders; true; getETag; (); ; Argument[this]; ReturnValue; taint; manual |
-| 30 | Summary: org.springframework.http; HttpHeaders; true; getFirst; (String); ; Argument[this]; ReturnValue; taint; manual |
-| 31 | Summary: org.springframework.http; HttpHeaders; true; getHost; (); ; Argument[this]; ReturnValue; taint; manual |
-| 32 | Summary: org.springframework.http; HttpHeaders; true; getIfMatch; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 33 | Summary: org.springframework.http; HttpHeaders; true; getIfNoneMatch; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 34 | Summary: org.springframework.http; HttpHeaders; true; getLocation; (); ; Argument[this]; ReturnValue; taint; manual |
-| 35 | Summary: org.springframework.http; HttpHeaders; true; getOrEmpty; (Object); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 36 | Summary: org.springframework.http; HttpHeaders; true; getOrigin; (); ; Argument[this]; ReturnValue; taint; manual |
-| 37 | Summary: org.springframework.http; HttpHeaders; true; getPragma; (); ; Argument[this]; ReturnValue; taint; manual |
-| 38 | Summary: org.springframework.http; HttpHeaders; true; getUpgrade; (); ; Argument[this]; ReturnValue; taint; manual |
-| 39 | Summary: org.springframework.http; HttpHeaders; true; getValuesAsList; (String); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 40 | Summary: org.springframework.http; HttpHeaders; true; getVary; (); ; Argument[this]; ReturnValue.Element; taint; manual |
-| 41 | Summary: org.springframework.http; RequestEntity; true; getUrl; (); ; Argument[this]; ReturnValue; taint; manual |
-| 42 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[0]; ReturnValue; taint; manual |
-| 43 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[this]; ReturnValue; taint; manual |
-| 44 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; contentType; (MediaType); ; Argument[this]; ReturnValue; value; manual |
-| 45 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; allow; (HttpMethod[]); ; Argument[this]; ReturnValue; value; manual |
-| 46 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; build; (); ; Argument[this]; ReturnValue; taint; manual |
-| 47 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; eTag; (String); ; Argument[0]; Argument[this]; taint; manual |
-| 48 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; eTag; (String); ; Argument[this]; ReturnValue; value; manual |
-| 49 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[0]; Argument[this]; taint; manual |
-| 50 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[1].ArrayElement; Argument[this]; taint; manual |
-| 51 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[this]; ReturnValue; value; manual |
-| 52 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; headers; (HttpHeaders); ; Argument[0]; Argument[this]; taint; manual |
-| 53 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; headers; (HttpHeaders); ; Argument[this]; ReturnValue; value; manual |
-| 54 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; lastModified; ; ; Argument[this]; ReturnValue; value; manual |
-| 55 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; location; (URI); ; Argument[0]; Argument[this]; taint; manual |
-| 56 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; location; (URI); ; Argument[this]; ReturnValue; value; manual |
-| 57 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (MultiValueMap,HttpStatus); ; Argument[0].MapKey; Argument[this]; taint; manual |
-| 58 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (MultiValueMap,HttpStatus); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
-| 59 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
-| 60 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
-| 61 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[1].MapKey; Argument[this]; taint; manual |
-| 62 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
-| 63 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[0]; Argument[this]; taint; manual |
-| 64 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[1].MapKey; Argument[this]; taint; manual |
-| 65 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
-| 66 | Summary: org.springframework.http; ResponseEntity; true; created; (URI); ; Argument[0]; ReturnValue; taint; manual |
-| 67 | Summary: org.springframework.http; ResponseEntity; true; of; (Optional); ; Argument[0].Element; ReturnValue; taint; manual |
-| 68 | Summary: org.springframework.http; ResponseEntity; true; ok; (Object); ; Argument[0]; ReturnValue; taint; manual |
-| 69 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[0]; Argument[this].MapKey; value; manual |
-| 70 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[1]; Argument[this].MapValue.Element; value; manual |
-| 71 | Summary: org.springframework.util; MultiValueMap; true; addAll; (java.lang.Object,java.util.List); ; Argument[1].Element; Argument[this].MapValue.Element; value; manual |
-| 72 | Summary: org.springframework.util; MultiValueMap; true; addAll; (org.springframework.util.MultiValueMap); ; Argument[0].MapValue.Element; Argument[this].MapValue.Element; value; manual |
-| 73 | Summary: org.springframework.util; MultiValueMap; true; getFirst; ; ; Argument[this].MapValue.Element; ReturnValue; value; manual |
+| 3 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual |
+| 4 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
+| 5 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
+| 6 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object); ; Argument[0]; Argument[this]; taint; manual |
+| 7 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object,MultiValueMap); ; Argument[0]; Argument[this]; taint; manual |
+| 8 | Summary: org.springframework.http; HttpEntity; true; HttpEntity; (Object,MultiValueMap); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
+| 9 | Summary: org.springframework.http; HttpEntity; true; getBody; ; ; Argument[this]; ReturnValue; taint; manual |
+| 10 | Summary: org.springframework.http; HttpEntity; true; getHeaders; ; ; Argument[this]; ReturnValue; taint; manual |
+| 11 | Summary: org.springframework.http; HttpHeaders; true; HttpHeaders; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
+| 12 | Summary: org.springframework.http; HttpHeaders; true; HttpHeaders; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
+| 13 | Summary: org.springframework.http; HttpHeaders; true; add; (String,String); ; Argument[0..1]; Argument[this]; taint; manual |
+| 14 | Summary: org.springframework.http; HttpHeaders; true; addAll; (MultiValueMap); ; Argument[0].MapKey; Argument[this]; taint; manual |
+| 15 | Summary: org.springframework.http; HttpHeaders; true; addAll; (MultiValueMap); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
+| 16 | Summary: org.springframework.http; HttpHeaders; true; addAll; (String,List); ; Argument[0]; Argument[this]; taint; manual |
+| 17 | Summary: org.springframework.http; HttpHeaders; true; addAll; (String,List); ; Argument[1].Element; Argument[this]; taint; manual |
+| 18 | Summary: org.springframework.http; HttpHeaders; true; encodeBasicAuth; (String,String,Charset); ; Argument[0..1]; ReturnValue; taint; manual |
+| 19 | Summary: org.springframework.http; HttpHeaders; true; formatHeaders; (MultiValueMap); ; Argument[0].MapKey; ReturnValue; taint; manual |
+| 20 | Summary: org.springframework.http; HttpHeaders; true; formatHeaders; (MultiValueMap); ; Argument[0].MapValue.Element; ReturnValue; taint; manual |
+| 21 | Summary: org.springframework.http; HttpHeaders; true; get; (Object); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 22 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlAllowHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 23 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlAllowOrigin; (); ; Argument[this]; ReturnValue; taint; manual |
+| 24 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlExposeHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 25 | Summary: org.springframework.http; HttpHeaders; true; getAccessControlRequestHeaders; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 26 | Summary: org.springframework.http; HttpHeaders; true; getCacheControl; (); ; Argument[this]; ReturnValue; taint; manual |
+| 27 | Summary: org.springframework.http; HttpHeaders; true; getConnection; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 28 | Summary: org.springframework.http; HttpHeaders; true; getETag; (); ; Argument[this]; ReturnValue; taint; manual |
+| 29 | Summary: org.springframework.http; HttpHeaders; true; getFirst; (String); ; Argument[this]; ReturnValue; taint; manual |
+| 30 | Summary: org.springframework.http; HttpHeaders; true; getHost; (); ; Argument[this]; ReturnValue; taint; manual |
+| 31 | Summary: org.springframework.http; HttpHeaders; true; getIfMatch; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 32 | Summary: org.springframework.http; HttpHeaders; true; getIfNoneMatch; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 33 | Summary: org.springframework.http; HttpHeaders; true; getLocation; (); ; Argument[this]; ReturnValue; taint; manual |
+| 34 | Summary: org.springframework.http; HttpHeaders; true; getOrEmpty; (Object); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 35 | Summary: org.springframework.http; HttpHeaders; true; getOrigin; (); ; Argument[this]; ReturnValue; taint; manual |
+| 36 | Summary: org.springframework.http; HttpHeaders; true; getPragma; (); ; Argument[this]; ReturnValue; taint; manual |
+| 37 | Summary: org.springframework.http; HttpHeaders; true; getUpgrade; (); ; Argument[this]; ReturnValue; taint; manual |
+| 38 | Summary: org.springframework.http; HttpHeaders; true; getValuesAsList; (String); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 39 | Summary: org.springframework.http; HttpHeaders; true; getVary; (); ; Argument[this]; ReturnValue.Element; taint; manual |
+| 40 | Summary: org.springframework.http; RequestEntity; true; getUrl; (); ; Argument[this]; ReturnValue; taint; manual |
+| 41 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[0]; ReturnValue; taint; manual |
+| 42 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[this]; ReturnValue; taint; manual |
+| 43 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; contentType; (MediaType); ; Argument[this]; ReturnValue; value; manual |
+| 44 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; allow; (HttpMethod[]); ; Argument[this]; ReturnValue; value; manual |
+| 45 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; build; (); ; Argument[this]; ReturnValue; taint; manual |
+| 46 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; eTag; (String); ; Argument[0]; Argument[this]; taint; manual |
+| 47 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; eTag; (String); ; Argument[this]; ReturnValue; value; manual |
+| 48 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[0]; Argument[this]; taint; manual |
+| 49 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[1].ArrayElement; Argument[this]; taint; manual |
+| 50 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; header; (String,String[]); ; Argument[this]; ReturnValue; value; manual |
+| 51 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; headers; (HttpHeaders); ; Argument[0]; Argument[this]; taint; manual |
+| 52 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; headers; (HttpHeaders); ; Argument[this]; ReturnValue; value; manual |
+| 53 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; lastModified; ; ; Argument[this]; ReturnValue; value; manual |
+| 54 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; location; (URI); ; Argument[0]; Argument[this]; taint; manual |
+| 55 | Summary: org.springframework.http; ResponseEntity$HeadersBuilder; true; location; (URI); ; Argument[this]; ReturnValue; value; manual |
+| 56 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (MultiValueMap,HttpStatus); ; Argument[0].MapKey; Argument[this]; taint; manual |
+| 57 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (MultiValueMap,HttpStatus); ; Argument[0].MapValue.Element; Argument[this]; taint; manual |
+| 58 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
+| 59 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
+| 60 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[1].MapKey; Argument[this]; taint; manual |
+| 61 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,HttpStatus); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
+| 62 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[0]; Argument[this]; taint; manual |
+| 63 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[1].MapKey; Argument[this]; taint; manual |
+| 64 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,MultiValueMap,int); ; Argument[1].MapValue.Element; Argument[this]; taint; manual |
+| 65 | Summary: org.springframework.http; ResponseEntity; true; created; (URI); ; Argument[0]; ReturnValue; taint; manual |
+| 66 | Summary: org.springframework.http; ResponseEntity; true; of; (Optional); ; Argument[0].Element; ReturnValue; taint; manual |
+| 67 | Summary: org.springframework.http; ResponseEntity; true; ok; (Object); ; Argument[0]; ReturnValue; taint; manual |
+| 68 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[0]; Argument[this].MapKey; value; manual |
+| 69 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[1]; Argument[this].MapValue.Element; value; manual |
 edges
 | TestHttp.java:16:20:16:26 | taint(...) : String | TestHttp.java:17:29:17:29 | x : String | provenance |  |
 | TestHttp.java:16:20:16:26 | taint(...) : String | TestHttp.java:20:29:20:29 | x : String | provenance |  |
-| TestHttp.java:17:29:17:29 | x : String | TestHttp.java:17:14:17:30 | new HttpEntity<>(...) | provenance | MaD:7 |
-| TestHttp.java:20:29:20:29 | x : String | TestHttp.java:20:14:20:34 | new HttpEntity<>(...) | provenance | MaD:8 |
+| TestHttp.java:17:29:17:29 | x : String | TestHttp.java:17:14:17:30 | new HttpEntity<>(...) | provenance | MaD:6 |
+| TestHttp.java:20:29:20:29 | x : String | TestHttp.java:20:14:20:34 | new HttpEntity<>(...) | provenance | MaD:7 |
 | TestHttp.java:22:9:22:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:23:34:23:35 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
 | TestHttp.java:22:9:22:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:24:37:24:38 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
-| TestHttp.java:22:21:22:27 | taint(...) : String | TestHttp.java:22:9:22:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:70 |
-| TestHttp.java:23:34:23:35 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:23:14:23:36 | new HttpEntity<>(...) | provenance | MaD:9 |
-| TestHttp.java:24:37:24:38 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:24:14:24:39 | new HttpEntity<String>(...) | provenance | MaD:6 |
+| TestHttp.java:22:21:22:27 | taint(...) : String | TestHttp.java:22:9:22:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:69 |
+| TestHttp.java:23:34:23:35 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:23:14:23:36 | new HttpEntity<>(...) | provenance | MaD:8 |
+| TestHttp.java:24:37:24:38 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:24:14:24:39 | new HttpEntity<String>(...) | provenance | MaD:5 |
 | TestHttp.java:27:9:27:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:28:37:28:38 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
-| TestHttp.java:27:16:27:22 | taint(...) : String | TestHttp.java:27:9:27:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:69 |
-| TestHttp.java:28:37:28:38 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:28:14:28:39 | new HttpEntity<String>(...) | provenance | MaD:5 |
+| TestHttp.java:27:16:27:22 | taint(...) : String | TestHttp.java:27:9:27:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:68 |
+| TestHttp.java:28:37:28:38 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:28:14:28:39 | new HttpEntity<String>(...) | provenance | MaD:4 |
 | TestHttp.java:30:34:30:40 | taint(...) : HttpEntity | TestHttp.java:31:14:31:16 | ent : HttpEntity | provenance |  |
 | TestHttp.java:30:34:30:40 | taint(...) : HttpEntity | TestHttp.java:32:14:32:16 | ent : HttpEntity | provenance |  |
-| TestHttp.java:31:14:31:16 | ent : HttpEntity | TestHttp.java:31:14:31:26 | getBody(...) | provenance | MaD:10 |
-| TestHttp.java:32:14:32:16 | ent : HttpEntity | TestHttp.java:32:14:32:29 | getHeaders(...) | provenance | MaD:11 |
+| TestHttp.java:31:14:31:16 | ent : HttpEntity | TestHttp.java:31:14:31:26 | getBody(...) | provenance | MaD:9 |
+| TestHttp.java:32:14:32:16 | ent : HttpEntity | TestHttp.java:32:14:32:29 | getHeaders(...) | provenance | MaD:10 |
 | TestHttp.java:34:37:34:43 | taint(...) : RequestEntity | TestHttp.java:35:14:35:16 | req : RequestEntity | provenance |  |
-| TestHttp.java:35:14:35:16 | req : RequestEntity | TestHttp.java:35:14:35:25 | getUrl(...) | provenance | MaD:41 |
+| TestHttp.java:35:14:35:16 | req : RequestEntity | TestHttp.java:35:14:35:25 | getUrl(...) | provenance | MaD:40 |
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:40:14:40:33 | ok(...) | provenance | SpringResponseEntity |
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:40:32:40:32 | x : String | provenance |  |
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:41:44:41:44 | x : String | provenance |  |
@@ -99,86 +95,80 @@ edges
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:45:48:45:48 | x : String | provenance |  |
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:46:63:46:63 | x : String | provenance |  |
 | TestHttp.java:39:20:39:26 | taint(...) : String | TestHttp.java:50:46:50:46 | x : String | provenance |  |
-| TestHttp.java:40:32:40:32 | x : String | TestHttp.java:40:14:40:33 | ok(...) | provenance | MaD:68 |
-| TestHttp.java:41:32:41:45 | of(...) : Optional [<element>] : String | TestHttp.java:41:14:41:46 | of(...) | provenance | MaD:67 |
-| TestHttp.java:41:44:41:44 | x : String | TestHttp.java:41:32:41:45 | of(...) : Optional [<element>] : String | provenance | MaD:4 |
-| TestHttp.java:43:66:43:66 | x : String | TestHttp.java:43:14:43:67 | body(...) | provenance | MaD:42 |
-| TestHttp.java:44:14:44:44 | created(...) : BodyBuilder | TestHttp.java:44:14:44:62 | contentType(...) : BodyBuilder | provenance | MaD:44 |
-| TestHttp.java:44:14:44:62 | contentType(...) : BodyBuilder | TestHttp.java:44:14:44:72 | body(...) | provenance | MaD:43 |
-| TestHttp.java:44:37:44:43 | taint(...) : URI | TestHttp.java:44:14:44:44 | created(...) : BodyBuilder | provenance | MaD:66 |
-| TestHttp.java:45:14:45:64 | header(...) : BodyBuilder | TestHttp.java:45:14:45:72 | build(...) | provenance | MaD:46 |
-| TestHttp.java:45:48:45:48 | x : String | TestHttp.java:45:14:45:64 | header(...) : BodyBuilder | provenance | MaD:49+MaD:51 |
-| TestHttp.java:46:14:46:64 | header(...) : BodyBuilder | TestHttp.java:46:14:46:72 | build(...) | provenance | MaD:46 |
-| TestHttp.java:46:14:46:64 | new ..[] { .. } : String[] [[]] : String | TestHttp.java:46:14:46:64 | header(...) : BodyBuilder | provenance | MaD:50+MaD:51 |
+| TestHttp.java:40:32:40:32 | x : String | TestHttp.java:40:14:40:33 | ok(...) | provenance | MaD:67 |
+| TestHttp.java:41:32:41:45 | of(...) : Optional [<element>] : String | TestHttp.java:41:14:41:46 | of(...) | provenance | MaD:66 |
+| TestHttp.java:41:44:41:44 | x : String | TestHttp.java:41:32:41:45 | of(...) : Optional [<element>] : String | provenance | MaD:3 |
+| TestHttp.java:43:66:43:66 | x : String | TestHttp.java:43:14:43:67 | body(...) | provenance | MaD:41 |
+| TestHttp.java:44:14:44:44 | created(...) : BodyBuilder | TestHttp.java:44:14:44:62 | contentType(...) : BodyBuilder | provenance | MaD:43 |
+| TestHttp.java:44:14:44:62 | contentType(...) : BodyBuilder | TestHttp.java:44:14:44:72 | body(...) | provenance | MaD:42 |
+| TestHttp.java:44:37:44:43 | taint(...) : URI | TestHttp.java:44:14:44:44 | created(...) : BodyBuilder | provenance | MaD:65 |
+| TestHttp.java:45:14:45:64 | header(...) : BodyBuilder | TestHttp.java:45:14:45:72 | build(...) | provenance | MaD:45 |
+| TestHttp.java:45:48:45:48 | x : String | TestHttp.java:45:14:45:64 | header(...) : BodyBuilder | provenance | MaD:48+MaD:50 |
+| TestHttp.java:46:14:46:64 | header(...) : BodyBuilder | TestHttp.java:46:14:46:72 | build(...) | provenance | MaD:45 |
+| TestHttp.java:46:14:46:64 | new ..[] { .. } : String[] [[]] : String | TestHttp.java:46:14:46:64 | header(...) : BodyBuilder | provenance | MaD:49+MaD:50 |
 | TestHttp.java:46:63:46:63 | x : String | TestHttp.java:46:14:46:64 | new ..[] { .. } : String[] [[]] : String | provenance |  |
 | TestHttp.java:48:9:48:9 | h [post update] : HttpHeaders | TestHttp.java:49:49:49:49 | h : HttpHeaders | provenance |  |
-| TestHttp.java:48:20:48:26 | taint(...) : String | TestHttp.java:48:9:48:9 | h [post update] : HttpHeaders | provenance | MaD:14 |
-| TestHttp.java:49:14:49:50 | headers(...) : BodyBuilder | TestHttp.java:49:14:49:58 | allow(...) : BodyBuilder | provenance | MaD:45 |
-| TestHttp.java:49:14:49:58 | allow(...) : BodyBuilder | TestHttp.java:49:14:49:66 | build(...) | provenance | MaD:46 |
-| TestHttp.java:49:49:49:49 | h : HttpHeaders | TestHttp.java:49:14:49:50 | headers(...) : BodyBuilder | provenance | MaD:52+MaD:53 |
-| TestHttp.java:50:14:50:47 | eTag(...) : BodyBuilder | TestHttp.java:50:14:50:55 | allow(...) : BodyBuilder | provenance | MaD:45 |
-| TestHttp.java:50:14:50:55 | allow(...) : BodyBuilder | TestHttp.java:50:14:50:63 | build(...) | provenance | MaD:46 |
-| TestHttp.java:50:46:50:46 | x : String | TestHttp.java:50:14:50:47 | eTag(...) : BodyBuilder | provenance | MaD:47+MaD:48 |
-| TestHttp.java:51:14:51:57 | location(...) : BodyBuilder | TestHttp.java:51:14:51:80 | lastModified(...) : BodyBuilder | provenance | MaD:54 |
-| TestHttp.java:51:14:51:80 | lastModified(...) : BodyBuilder | TestHttp.java:51:14:51:88 | build(...) | provenance | MaD:46 |
-| TestHttp.java:51:50:51:56 | taint(...) : URI | TestHttp.java:51:14:51:57 | location(...) : BodyBuilder | provenance | MaD:55+MaD:56 |
+| TestHttp.java:48:20:48:26 | taint(...) : String | TestHttp.java:48:9:48:9 | h [post update] : HttpHeaders | provenance | MaD:13 |
+| TestHttp.java:49:14:49:50 | headers(...) : BodyBuilder | TestHttp.java:49:14:49:58 | allow(...) : BodyBuilder | provenance | MaD:44 |
+| TestHttp.java:49:14:49:58 | allow(...) : BodyBuilder | TestHttp.java:49:14:49:66 | build(...) | provenance | MaD:45 |
+| TestHttp.java:49:49:49:49 | h : HttpHeaders | TestHttp.java:49:14:49:50 | headers(...) : BodyBuilder | provenance | MaD:51+MaD:52 |
+| TestHttp.java:50:14:50:47 | eTag(...) : BodyBuilder | TestHttp.java:50:14:50:55 | allow(...) : BodyBuilder | provenance | MaD:44 |
+| TestHttp.java:50:14:50:55 | allow(...) : BodyBuilder | TestHttp.java:50:14:50:63 | build(...) | provenance | MaD:45 |
+| TestHttp.java:50:46:50:46 | x : String | TestHttp.java:50:14:50:47 | eTag(...) : BodyBuilder | provenance | MaD:46+MaD:47 |
+| TestHttp.java:51:14:51:57 | location(...) : BodyBuilder | TestHttp.java:51:14:51:80 | lastModified(...) : BodyBuilder | provenance | MaD:53 |
+| TestHttp.java:51:14:51:80 | lastModified(...) : BodyBuilder | TestHttp.java:51:14:51:88 | build(...) | provenance | MaD:45 |
+| TestHttp.java:51:50:51:56 | taint(...) : URI | TestHttp.java:51:14:51:57 | location(...) : BodyBuilder | provenance | MaD:54+MaD:55 |
 | TestHttp.java:56:20:56:26 | taint(...) : String | TestHttp.java:59:33:59:33 | x : String | provenance |  |
 | TestHttp.java:56:20:56:26 | taint(...) : String | TestHttp.java:60:33:60:33 | x : String | provenance |  |
 | TestHttp.java:56:20:56:26 | taint(...) : String | TestHttp.java:61:33:61:33 | x : String | provenance |  |
-| TestHttp.java:59:33:59:33 | x : String | TestHttp.java:59:14:59:55 | new ResponseEntity<>(...) | provenance | MaD:59 |
-| TestHttp.java:60:33:60:33 | x : String | TestHttp.java:60:14:60:59 | new ResponseEntity<>(...) | provenance | MaD:60 |
-| TestHttp.java:61:33:61:33 | x : String | TestHttp.java:61:14:61:43 | new ResponseEntity<>(...) | provenance | MaD:63 |
+| TestHttp.java:59:33:59:33 | x : String | TestHttp.java:59:14:59:55 | new ResponseEntity<>(...) | provenance | MaD:58 |
+| TestHttp.java:60:33:60:33 | x : String | TestHttp.java:60:14:60:59 | new ResponseEntity<>(...) | provenance | MaD:59 |
+| TestHttp.java:61:33:61:33 | x : String | TestHttp.java:61:14:61:43 | new ResponseEntity<>(...) | provenance | MaD:62 |
 | TestHttp.java:63:9:63:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:64:38:64:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
 | TestHttp.java:63:9:63:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:65:41:65:42 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
 | TestHttp.java:63:9:63:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:66:38:66:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
-| TestHttp.java:63:21:63:27 | taint(...) : String | TestHttp.java:63:9:63:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:70 |
-| TestHttp.java:64:38:64:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:64:14:64:61 | new ResponseEntity<>(...) | provenance | MaD:62 |
-| TestHttp.java:65:41:65:42 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:65:14:65:64 | new ResponseEntity<String>(...) | provenance | MaD:58 |
-| TestHttp.java:66:38:66:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:66:14:66:45 | new ResponseEntity<>(...) | provenance | MaD:65 |
+| TestHttp.java:63:21:63:27 | taint(...) : String | TestHttp.java:63:9:63:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:69 |
+| TestHttp.java:64:38:64:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:64:14:64:61 | new ResponseEntity<>(...) | provenance | MaD:61 |
+| TestHttp.java:65:41:65:42 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:65:14:65:64 | new ResponseEntity<String>(...) | provenance | MaD:57 |
+| TestHttp.java:66:38:66:39 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:66:14:66:45 | new ResponseEntity<>(...) | provenance | MaD:64 |
 | TestHttp.java:69:9:69:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:70:38:70:39 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
 | TestHttp.java:69:9:69:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:71:41:71:42 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
 | TestHttp.java:69:9:69:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:72:38:72:39 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
-| TestHttp.java:69:16:69:22 | taint(...) : String | TestHttp.java:69:9:69:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:69 |
-| TestHttp.java:70:38:70:39 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:70:14:70:61 | new ResponseEntity<>(...) | provenance | MaD:61 |
-| TestHttp.java:71:41:71:42 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:71:14:71:64 | new ResponseEntity<String>(...) | provenance | MaD:57 |
-| TestHttp.java:72:38:72:39 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:72:14:72:45 | new ResponseEntity<>(...) | provenance | MaD:64 |
+| TestHttp.java:69:16:69:22 | taint(...) : String | TestHttp.java:69:9:69:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:68 |
+| TestHttp.java:70:38:70:39 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:70:14:70:61 | new ResponseEntity<>(...) | provenance | MaD:60 |
+| TestHttp.java:71:41:71:42 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:71:14:71:64 | new ResponseEntity<String>(...) | provenance | MaD:56 |
+| TestHttp.java:72:38:72:39 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:72:14:72:45 | new ResponseEntity<>(...) | provenance | MaD:63 |
 | TestHttp.java:74:38:74:44 | taint(...) : ResponseEntity | TestHttp.java:75:14:75:16 | ent : ResponseEntity | provenance |  |
 | TestHttp.java:74:38:74:44 | taint(...) : ResponseEntity | TestHttp.java:76:14:76:16 | ent : ResponseEntity | provenance |  |
-| TestHttp.java:75:14:75:16 | ent : ResponseEntity | TestHttp.java:75:14:75:26 | getBody(...) | provenance | MaD:10 |
-| TestHttp.java:76:14:76:16 | ent : ResponseEntity | TestHttp.java:76:14:76:29 | getHeaders(...) | provenance | MaD:11 |
+| TestHttp.java:75:14:75:16 | ent : ResponseEntity | TestHttp.java:75:14:75:26 | getBody(...) | provenance | MaD:9 |
+| TestHttp.java:76:14:76:16 | ent : ResponseEntity | TestHttp.java:76:14:76:29 | getHeaders(...) | provenance | MaD:10 |
 | TestHttp.java:81:9:81:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:82:30:82:31 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
 | TestHttp.java:81:9:81:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:97:19:97:20 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
 | TestHttp.java:81:9:81:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:112:40:112:41 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | provenance |  |
-| TestHttp.java:81:21:81:27 | taint(...) : String | TestHttp.java:81:9:81:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:70 |
-| TestHttp.java:82:30:82:31 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:82:14:82:32 | new HttpHeaders(...) | provenance | MaD:13 |
+| TestHttp.java:81:21:81:27 | taint(...) : String | TestHttp.java:81:9:81:10 | m1 [post update] : LinkedMultiValueMap [<map.value>, <element>] : String | provenance | MaD:69 |
+| TestHttp.java:82:30:82:31 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:82:14:82:32 | new HttpHeaders(...) | provenance | MaD:12 |
 | TestHttp.java:85:9:85:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:86:30:86:31 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
 | TestHttp.java:85:9:85:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:101:19:101:20 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
 | TestHttp.java:85:9:85:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:113:40:113:41 | m2 : LinkedMultiValueMap [<map.key>] : String | provenance |  |
-| TestHttp.java:85:16:85:22 | taint(...) : String | TestHttp.java:85:9:85:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:69 |
-| TestHttp.java:86:30:86:31 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:86:14:86:32 | new HttpHeaders(...) | provenance | MaD:12 |
+| TestHttp.java:85:16:85:22 | taint(...) : String | TestHttp.java:85:9:85:10 | m2 [post update] : LinkedMultiValueMap [<map.key>] : String | provenance | MaD:68 |
+| TestHttp.java:86:30:86:31 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:86:14:86:32 | new HttpHeaders(...) | provenance | MaD:11 |
 | TestHttp.java:89:9:89:10 | h1 [post update] : HttpHeaders | TestHttp.java:90:14:90:15 | h1 | provenance |  |
-| TestHttp.java:89:16:89:22 | taint(...) : String | TestHttp.java:89:9:89:10 | h1 [post update] : HttpHeaders | provenance | MaD:14 |
+| TestHttp.java:89:16:89:22 | taint(...) : String | TestHttp.java:89:9:89:10 | h1 [post update] : HttpHeaders | provenance | MaD:13 |
 | TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders | TestHttp.java:94:14:94:15 | h2 | provenance |  |
-| TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders [<map.value>, <element>] : String | TestHttp.java:94:14:94:15 | h2 | provenance |  |
-| TestHttp.java:93:21:93:27 | taint(...) : String | TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders | provenance | MaD:14 |
-| TestHttp.java:93:21:93:27 | taint(...) : String | TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:70 |
+| TestHttp.java:93:21:93:27 | taint(...) : String | TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders | provenance | MaD:13 |
 | TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders | TestHttp.java:98:14:98:15 | h3 | provenance |  |
-| TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders [<map.value>, <element>] : String | TestHttp.java:98:14:98:15 | h3 | provenance |  |
-| TestHttp.java:97:19:97:20 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders | provenance | MaD:16 |
-| TestHttp.java:97:19:97:20 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:72 |
+| TestHttp.java:97:19:97:20 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders | provenance | MaD:15 |
 | TestHttp.java:101:9:101:10 | h4 [post update] : HttpHeaders | TestHttp.java:102:14:102:15 | h4 | provenance |  |
-| TestHttp.java:101:19:101:20 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:101:9:101:10 | h4 [post update] : HttpHeaders | provenance | MaD:15 |
+| TestHttp.java:101:19:101:20 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:101:9:101:10 | h4 [post update] : HttpHeaders | provenance | MaD:14 |
 | TestHttp.java:105:9:105:10 | h5 [post update] : HttpHeaders | TestHttp.java:106:14:106:15 | h5 | provenance |  |
-| TestHttp.java:105:19:105:25 | taint(...) : String | TestHttp.java:105:9:105:10 | h5 [post update] : HttpHeaders | provenance | MaD:17 |
+| TestHttp.java:105:19:105:25 | taint(...) : String | TestHttp.java:105:9:105:10 | h5 [post update] : HttpHeaders | provenance | MaD:16 |
 | TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders | TestHttp.java:110:14:110:15 | h6 | provenance |  |
-| TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders [<map.value>, <element>] : Object | TestHttp.java:110:14:110:15 | h6 | provenance |  |
-| TestHttp.java:109:24:109:39 | of(...) : List [<element>] : Object | TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders | provenance | MaD:18 |
-| TestHttp.java:109:24:109:39 | of(...) : List [<element>] : Object | TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders [<map.value>, <element>] : Object | provenance | MaD:71 |
+| TestHttp.java:109:24:109:39 | of(...) : List [<element>] : Object | TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders | provenance | MaD:17 |
 | TestHttp.java:109:32:109:38 | taint(...) : String[] | TestHttp.java:109:24:109:39 | of(...) : List [<element>] : Object | provenance | MaD:1 |
-| TestHttp.java:112:40:112:41 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:112:14:112:42 | formatHeaders(...) | provenance | MaD:21 |
-| TestHttp.java:113:40:113:41 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:113:14:113:42 | formatHeaders(...) | provenance | MaD:20 |
-| TestHttp.java:115:42:115:48 | taint(...) : String | TestHttp.java:115:14:115:60 | encodeBasicAuth(...) | provenance | MaD:19 |
-| TestHttp.java:116:47:116:53 | taint(...) : String | TestHttp.java:116:14:116:60 | encodeBasicAuth(...) | provenance | MaD:19 |
+| TestHttp.java:112:40:112:41 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | TestHttp.java:112:14:112:42 | formatHeaders(...) | provenance | MaD:20 |
+| TestHttp.java:113:40:113:41 | m2 : LinkedMultiValueMap [<map.key>] : String | TestHttp.java:113:14:113:42 | formatHeaders(...) | provenance | MaD:19 |
+| TestHttp.java:115:42:115:48 | taint(...) : String | TestHttp.java:115:14:115:60 | encodeBasicAuth(...) | provenance | MaD:18 |
+| TestHttp.java:116:47:116:53 | taint(...) : String | TestHttp.java:116:14:116:60 | encodeBasicAuth(...) | provenance | MaD:18 |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:122:14:122:14 | h : HttpHeaders | provenance |  |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:128:14:128:14 | h : HttpHeaders | provenance |  |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:130:14:130:14 | h : HttpHeaders | provenance |  |
@@ -198,37 +188,34 @@ edges
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:158:14:158:14 | h : HttpHeaders | provenance |  |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:159:14:159:14 | h : HttpHeaders | provenance |  |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | TestHttp.java:160:14:160:14 | h : HttpHeaders | provenance |  |
-| TestHttp.java:122:14:122:14 | h : HttpHeaders | TestHttp.java:122:14:122:24 | get(...) : List | provenance | MaD:3 |
-| TestHttp.java:122:14:122:14 | h : HttpHeaders | TestHttp.java:122:14:122:24 | get(...) : List [<element>] : Object | provenance | MaD:22 |
-| TestHttp.java:122:14:122:24 | get(...) : List | TestHttp.java:122:14:122:31 | get(...) | provenance | MaD:2 |
+| TestHttp.java:122:14:122:14 | h : HttpHeaders | TestHttp.java:122:14:122:24 | get(...) : List [<element>] : Object | provenance | MaD:21 |
 | TestHttp.java:122:14:122:24 | get(...) : List [<element>] : Object | TestHttp.java:122:14:122:31 | get(...) | provenance | MaD:2 |
-| TestHttp.java:128:14:128:14 | h : HttpHeaders | TestHttp.java:128:14:128:45 | getAccessControlAllowHeaders(...) : List [<element>] : Object | provenance | MaD:23 |
+| TestHttp.java:128:14:128:14 | h : HttpHeaders | TestHttp.java:128:14:128:45 | getAccessControlAllowHeaders(...) : List [<element>] : Object | provenance | MaD:22 |
 | TestHttp.java:128:14:128:45 | getAccessControlAllowHeaders(...) : List [<element>] : Object | TestHttp.java:128:14:128:52 | get(...) | provenance | MaD:2 |
-| TestHttp.java:130:14:130:14 | h : HttpHeaders | TestHttp.java:130:14:130:44 | getAccessControlAllowOrigin(...) | provenance | MaD:24 |
-| TestHttp.java:131:14:131:14 | h : HttpHeaders | TestHttp.java:131:14:131:46 | getAccessControlExposeHeaders(...) : List [<element>] : Object | provenance | MaD:25 |
+| TestHttp.java:130:14:130:14 | h : HttpHeaders | TestHttp.java:130:14:130:44 | getAccessControlAllowOrigin(...) | provenance | MaD:23 |
+| TestHttp.java:131:14:131:14 | h : HttpHeaders | TestHttp.java:131:14:131:46 | getAccessControlExposeHeaders(...) : List [<element>] : Object | provenance | MaD:24 |
 | TestHttp.java:131:14:131:46 | getAccessControlExposeHeaders(...) : List [<element>] : Object | TestHttp.java:131:14:131:53 | get(...) | provenance | MaD:2 |
-| TestHttp.java:133:14:133:14 | h : HttpHeaders | TestHttp.java:133:14:133:47 | getAccessControlRequestHeaders(...) : List [<element>] : Object | provenance | MaD:26 |
+| TestHttp.java:133:14:133:14 | h : HttpHeaders | TestHttp.java:133:14:133:47 | getAccessControlRequestHeaders(...) : List [<element>] : Object | provenance | MaD:25 |
 | TestHttp.java:133:14:133:47 | getAccessControlRequestHeaders(...) : List [<element>] : Object | TestHttp.java:133:14:133:54 | get(...) | provenance | MaD:2 |
-| TestHttp.java:136:14:136:14 | h : HttpHeaders | TestHttp.java:136:14:136:32 | getCacheControl(...) | provenance | MaD:27 |
-| TestHttp.java:137:14:137:14 | h : HttpHeaders | TestHttp.java:137:14:137:30 | getConnection(...) : List [<element>] : Object | provenance | MaD:28 |
+| TestHttp.java:136:14:136:14 | h : HttpHeaders | TestHttp.java:136:14:136:32 | getCacheControl(...) | provenance | MaD:26 |
+| TestHttp.java:137:14:137:14 | h : HttpHeaders | TestHttp.java:137:14:137:30 | getConnection(...) : List [<element>] : Object | provenance | MaD:27 |
 | TestHttp.java:137:14:137:30 | getConnection(...) : List [<element>] : Object | TestHttp.java:137:14:137:37 | get(...) | provenance | MaD:2 |
-| TestHttp.java:143:14:143:14 | h : HttpHeaders | TestHttp.java:143:14:143:24 | getETag(...) | provenance | MaD:29 |
-| TestHttp.java:145:14:145:14 | h : HttpHeaders | TestHttp.java:145:14:145:28 | getFirst(...) | provenance | MaD:30 |
-| TestHttp.java:145:14:145:14 | h : HttpHeaders | TestHttp.java:145:14:145:28 | getFirst(...) | provenance | MaD:73 |
-| TestHttp.java:148:14:148:14 | h : HttpHeaders | TestHttp.java:148:14:148:24 | getHost(...) | provenance | MaD:31 |
-| TestHttp.java:149:14:149:14 | h : HttpHeaders | TestHttp.java:149:14:149:27 | getIfMatch(...) : List [<element>] : Object | provenance | MaD:32 |
+| TestHttp.java:143:14:143:14 | h : HttpHeaders | TestHttp.java:143:14:143:24 | getETag(...) | provenance | MaD:28 |
+| TestHttp.java:145:14:145:14 | h : HttpHeaders | TestHttp.java:145:14:145:28 | getFirst(...) | provenance | MaD:29 |
+| TestHttp.java:148:14:148:14 | h : HttpHeaders | TestHttp.java:148:14:148:24 | getHost(...) | provenance | MaD:30 |
+| TestHttp.java:149:14:149:14 | h : HttpHeaders | TestHttp.java:149:14:149:27 | getIfMatch(...) : List [<element>] : Object | provenance | MaD:31 |
 | TestHttp.java:149:14:149:27 | getIfMatch(...) : List [<element>] : Object | TestHttp.java:149:14:149:34 | get(...) | provenance | MaD:2 |
-| TestHttp.java:151:14:151:14 | h : HttpHeaders | TestHttp.java:151:14:151:31 | getIfNoneMatch(...) : List [<element>] : Object | provenance | MaD:33 |
+| TestHttp.java:151:14:151:14 | h : HttpHeaders | TestHttp.java:151:14:151:31 | getIfNoneMatch(...) : List [<element>] : Object | provenance | MaD:32 |
 | TestHttp.java:151:14:151:31 | getIfNoneMatch(...) : List [<element>] : Object | TestHttp.java:151:14:151:38 | get(...) | provenance | MaD:2 |
-| TestHttp.java:154:14:154:14 | h : HttpHeaders | TestHttp.java:154:14:154:28 | getLocation(...) | provenance | MaD:34 |
-| TestHttp.java:155:14:155:14 | h : HttpHeaders | TestHttp.java:155:14:155:30 | getOrEmpty(...) : List [<element>] : Object | provenance | MaD:35 |
+| TestHttp.java:154:14:154:14 | h : HttpHeaders | TestHttp.java:154:14:154:28 | getLocation(...) | provenance | MaD:33 |
+| TestHttp.java:155:14:155:14 | h : HttpHeaders | TestHttp.java:155:14:155:30 | getOrEmpty(...) : List [<element>] : Object | provenance | MaD:34 |
 | TestHttp.java:155:14:155:30 | getOrEmpty(...) : List [<element>] : Object | TestHttp.java:155:14:155:37 | get(...) | provenance | MaD:2 |
-| TestHttp.java:156:14:156:14 | h : HttpHeaders | TestHttp.java:156:14:156:26 | getOrigin(...) | provenance | MaD:36 |
-| TestHttp.java:157:14:157:14 | h : HttpHeaders | TestHttp.java:157:14:157:26 | getPragma(...) | provenance | MaD:37 |
-| TestHttp.java:158:14:158:14 | h : HttpHeaders | TestHttp.java:158:14:158:27 | getUpgrade(...) | provenance | MaD:38 |
-| TestHttp.java:159:14:159:14 | h : HttpHeaders | TestHttp.java:159:14:159:35 | getValuesAsList(...) : List [<element>] : Object | provenance | MaD:39 |
+| TestHttp.java:156:14:156:14 | h : HttpHeaders | TestHttp.java:156:14:156:26 | getOrigin(...) | provenance | MaD:35 |
+| TestHttp.java:157:14:157:14 | h : HttpHeaders | TestHttp.java:157:14:157:26 | getPragma(...) | provenance | MaD:36 |
+| TestHttp.java:158:14:158:14 | h : HttpHeaders | TestHttp.java:158:14:158:27 | getUpgrade(...) | provenance | MaD:37 |
+| TestHttp.java:159:14:159:14 | h : HttpHeaders | TestHttp.java:159:14:159:35 | getValuesAsList(...) : List [<element>] : Object | provenance | MaD:38 |
 | TestHttp.java:159:14:159:35 | getValuesAsList(...) : List [<element>] : Object | TestHttp.java:159:14:159:42 | get(...) | provenance | MaD:2 |
-| TestHttp.java:160:14:160:14 | h : HttpHeaders | TestHttp.java:160:14:160:24 | getVary(...) : List [<element>] : Object | provenance | MaD:40 |
+| TestHttp.java:160:14:160:14 | h : HttpHeaders | TestHttp.java:160:14:160:24 | getVary(...) : List [<element>] : Object | provenance | MaD:39 |
 | TestHttp.java:160:14:160:24 | getVary(...) : List [<element>] : Object | TestHttp.java:160:14:160:31 | get(...) | provenance | MaD:2 |
 nodes
 | TestHttp.java:16:20:16:26 | taint(...) : String | semmle.label | taint(...) : String |
@@ -327,11 +314,9 @@ nodes
 | TestHttp.java:89:16:89:22 | taint(...) : String | semmle.label | taint(...) : String |
 | TestHttp.java:90:14:90:15 | h1 | semmle.label | h1 |
 | TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders | semmle.label | h2 [post update] : HttpHeaders |
-| TestHttp.java:93:9:93:10 | h2 [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | h2 [post update] : HttpHeaders [<map.value>, <element>] : String |
 | TestHttp.java:93:21:93:27 | taint(...) : String | semmle.label | taint(...) : String |
 | TestHttp.java:94:14:94:15 | h2 | semmle.label | h2 |
 | TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders | semmle.label | h3 [post update] : HttpHeaders |
-| TestHttp.java:97:9:97:10 | h3 [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | h3 [post update] : HttpHeaders [<map.value>, <element>] : String |
 | TestHttp.java:97:19:97:20 | m1 : LinkedMultiValueMap [<map.value>, <element>] : String | semmle.label | m1 : LinkedMultiValueMap [<map.value>, <element>] : String |
 | TestHttp.java:98:14:98:15 | h3 | semmle.label | h3 |
 | TestHttp.java:101:9:101:10 | h4 [post update] : HttpHeaders | semmle.label | h4 [post update] : HttpHeaders |
@@ -341,7 +326,6 @@ nodes
 | TestHttp.java:105:19:105:25 | taint(...) : String | semmle.label | taint(...) : String |
 | TestHttp.java:106:14:106:15 | h5 | semmle.label | h5 |
 | TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders | semmle.label | h6 [post update] : HttpHeaders |
-| TestHttp.java:109:9:109:10 | h6 [post update] : HttpHeaders [<map.value>, <element>] : Object | semmle.label | h6 [post update] : HttpHeaders [<map.value>, <element>] : Object |
 | TestHttp.java:109:24:109:39 | of(...) : List [<element>] : Object | semmle.label | of(...) : List [<element>] : Object |
 | TestHttp.java:109:32:109:38 | taint(...) : String[] | semmle.label | taint(...) : String[] |
 | TestHttp.java:110:14:110:15 | h6 | semmle.label | h6 |
@@ -355,7 +339,6 @@ nodes
 | TestHttp.java:116:47:116:53 | taint(...) : String | semmle.label | taint(...) : String |
 | TestHttp.java:120:25:120:31 | taint(...) : HttpHeaders | semmle.label | taint(...) : HttpHeaders |
 | TestHttp.java:122:14:122:14 | h : HttpHeaders | semmle.label | h : HttpHeaders |
-| TestHttp.java:122:14:122:24 | get(...) : List | semmle.label | get(...) : List |
 | TestHttp.java:122:14:122:24 | get(...) : List [<element>] : Object | semmle.label | get(...) : List [<element>] : Object |
 | TestHttp.java:122:14:122:31 | get(...) | semmle.label | get(...) |
 | TestHttp.java:128:14:128:14 | h : HttpHeaders | semmle.label | h : HttpHeaders |
--- a/java/ql/test/library-tests/frameworks/spring/util/test.expected
+++ b/java/ql/test/library-tests/frameworks/spring/util/test.expected
--- a/java/ql/test/library-tests/frameworks/spring/webutil/test.expected
+++ b/java/ql/test/library-tests/frameworks/spring/webutil/test.expected
--- a/java/ql/test/library-tests/optional/test.expected
+++ b/java/ql/test/library-tests/optional/test.expected
@@ -53,9 +53,7 @@ edges
 | FunctionalTest.java:42:22:42:22 | v : String | FunctionalTest.java:43:18:43:18 | v | provenance |  |
 | FunctionalTest.java:45:9:48:22 | or(...) : Optional [<element>] : String | FunctionalTest.java:48:34:48:34 | v : String | provenance | MaD:6 |
 | FunctionalTest.java:48:15:48:21 | ...->... : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:45:9:48:22 | or(...) : Optional [<element>] : String | provenance | MaD:11 |
-| FunctionalTest.java:48:15:48:21 | ...->... : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:45:9:48:22 | or(...) : Optional [<element>] : String | provenance | heuristic-callback |
 | FunctionalTest.java:48:15:48:21 | ...->... : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:48:15:48:21 | parameter this : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | provenance | MaD:11 |
-| FunctionalTest.java:48:15:48:21 | ...->... : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:48:15:48:21 | parameter this : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | provenance | heuristic-callback |
 | FunctionalTest.java:48:15:48:21 | Optional<String> o : Optional [<element>] : String | FunctionalTest.java:48:15:48:21 | ...->... : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | provenance |  |
 | FunctionalTest.java:48:15:48:21 | parameter this : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:48:21:48:21 | this : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | provenance |  |
 | FunctionalTest.java:48:21:48:21 | this : new Supplier<Optional<? extends String>>(...) { ... } [Optional<String> o, <element>] : String | FunctionalTest.java:48:21:48:21 | o : Optional [<element>] : String | provenance |  |
--- a/java/ql/test/library-tests/scanner/test.expected
+++ b/java/ql/test/library-tests/scanner/test.expected
@@ -1,197 +1,195 @@
 models
-| 1 | Summary: java.util; Iterator; true; next; ; ; Argument[this].Element; ReturnValue; value; manual |
-| 2 | Summary: java.util; Scanner; true; Scanner; ; ; Argument[0]; Argument[this]; taint; manual |
-| 3 | Summary: java.util; Scanner; true; findInLine; ; ; Argument[this]; ReturnValue; taint; manual |
-| 4 | Summary: java.util; Scanner; true; findWithinHorizon; ; ; Argument[this]; ReturnValue; taint; manual |
-| 5 | Summary: java.util; Scanner; true; next; ; ; Argument[this]; ReturnValue; taint; manual |
-| 6 | Summary: java.util; Scanner; true; nextBigDecimal; ; ; Argument[this]; ReturnValue; taint; manual |
-| 7 | Summary: java.util; Scanner; true; nextBigInteger; ; ; Argument[this]; ReturnValue; taint; manual |
-| 8 | Summary: java.util; Scanner; true; nextBoolean; ; ; Argument[this]; ReturnValue; taint; manual |
-| 9 | Summary: java.util; Scanner; true; nextByte; ; ; Argument[this]; ReturnValue; taint; manual |
-| 10 | Summary: java.util; Scanner; true; nextDouble; ; ; Argument[this]; ReturnValue; taint; manual |
-| 11 | Summary: java.util; Scanner; true; nextFloat; ; ; Argument[this]; ReturnValue; taint; manual |
-| 12 | Summary: java.util; Scanner; true; nextInt; ; ; Argument[this]; ReturnValue; taint; manual |
-| 13 | Summary: java.util; Scanner; true; nextLine; ; ; Argument[this]; ReturnValue; taint; manual |
-| 14 | Summary: java.util; Scanner; true; nextLong; ; ; Argument[this]; ReturnValue; taint; manual |
-| 15 | Summary: java.util; Scanner; true; nextShort; ; ; Argument[this]; ReturnValue; taint; manual |
-| 16 | Summary: java.util; Scanner; true; reset; ; ; Argument[this]; ReturnValue; value; manual |
-| 17 | Summary: java.util; Scanner; true; skip; ; ; Argument[this]; ReturnValue; value; manual |
-| 18 | Summary: java.util; Scanner; true; useDelimiter; ; ; Argument[this]; ReturnValue; value; manual |
-| 19 | Summary: java.util; Scanner; true; useLocale; ; ; Argument[this]; ReturnValue; value; manual |
-| 20 | Summary: java.util; Scanner; true; useRadix; ; ; Argument[this]; ReturnValue; value; manual |
+| 1 | Summary: java.util; Scanner; true; Scanner; ; ; Argument[0]; Argument[this]; taint; manual |
+| 2 | Summary: java.util; Scanner; true; findInLine; ; ; Argument[this]; ReturnValue; taint; manual |
+| 3 | Summary: java.util; Scanner; true; findWithinHorizon; ; ; Argument[this]; ReturnValue; taint; manual |
+| 4 | Summary: java.util; Scanner; true; next; ; ; Argument[this]; ReturnValue; taint; manual |
+| 5 | Summary: java.util; Scanner; true; nextBigDecimal; ; ; Argument[this]; ReturnValue; taint; manual |
+| 6 | Summary: java.util; Scanner; true; nextBigInteger; ; ; Argument[this]; ReturnValue; taint; manual |
+| 7 | Summary: java.util; Scanner; true; nextBoolean; ; ; Argument[this]; ReturnValue; taint; manual |
+| 8 | Summary: java.util; Scanner; true; nextByte; ; ; Argument[this]; ReturnValue; taint; manual |
+| 9 | Summary: java.util; Scanner; true; nextDouble; ; ; Argument[this]; ReturnValue; taint; manual |
+| 10 | Summary: java.util; Scanner; true; nextFloat; ; ; Argument[this]; ReturnValue; taint; manual |
+| 11 | Summary: java.util; Scanner; true; nextInt; ; ; Argument[this]; ReturnValue; taint; manual |
+| 12 | Summary: java.util; Scanner; true; nextLine; ; ; Argument[this]; ReturnValue; taint; manual |
+| 13 | Summary: java.util; Scanner; true; nextLong; ; ; Argument[this]; ReturnValue; taint; manual |
+| 14 | Summary: java.util; Scanner; true; nextShort; ; ; Argument[this]; ReturnValue; taint; manual |
+| 15 | Summary: java.util; Scanner; true; reset; ; ; Argument[this]; ReturnValue; value; manual |
+| 16 | Summary: java.util; Scanner; true; skip; ; ; Argument[this]; ReturnValue; value; manual |
+| 17 | Summary: java.util; Scanner; true; useDelimiter; ; ; Argument[this]; ReturnValue; value; manual |
+| 18 | Summary: java.util; Scanner; true; useLocale; ; ; Argument[this]; ReturnValue; value; manual |
+| 19 | Summary: java.util; Scanner; true; useRadix; ; ; Argument[this]; ReturnValue; value; manual |
 edges
 | Test.java:27:14:27:28 | (...)... : File | Test.java:28:22:28:23 | in : File | provenance |  |
 | Test.java:27:21:27:28 | source(...) : Object | Test.java:27:14:27:28 | (...)... : File | provenance |  |
 | Test.java:28:10:28:24 | new Scanner(...) : Scanner | Test.java:29:9:29:11 | out | provenance |  |
-| Test.java:28:22:28:23 | in : File | Test.java:28:10:28:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:28:22:28:23 | in : File | Test.java:28:10:28:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:34:14:34:28 | (...)... : File | Test.java:35:22:35:23 | in : File | provenance |  |
 | Test.java:34:21:34:28 | source(...) : Object | Test.java:34:14:34:28 | (...)... : File | provenance |  |
 | Test.java:35:10:35:40 | new Scanner(...) : Scanner | Test.java:36:9:36:11 | out | provenance |  |
-| Test.java:35:22:35:23 | in : File | Test.java:35:10:35:40 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:35:22:35:23 | in : File | Test.java:35:10:35:40 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:41:14:41:28 | (...)... : File | Test.java:42:22:42:23 | in : File | provenance |  |
 | Test.java:41:21:41:28 | source(...) : Object | Test.java:41:14:41:28 | (...)... : File | provenance |  |
 | Test.java:42:10:42:39 | new Scanner(...) : Scanner | Test.java:43:9:43:11 | out | provenance |  |
-| Test.java:42:22:42:23 | in : File | Test.java:42:10:42:39 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:42:22:42:23 | in : File | Test.java:42:10:42:39 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:48:21:48:42 | (...)... : InputStream | Test.java:49:22:49:23 | in : InputStream | provenance |  |
 | Test.java:48:35:48:42 | source(...) : Object | Test.java:48:21:48:42 | (...)... : InputStream | provenance |  |
 | Test.java:49:10:49:24 | new Scanner(...) : Scanner | Test.java:50:9:50:11 | out | provenance |  |
-| Test.java:49:22:49:23 | in : InputStream | Test.java:49:10:49:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:49:22:49:23 | in : InputStream | Test.java:49:10:49:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:55:21:55:42 | (...)... : InputStream | Test.java:56:22:56:23 | in : InputStream | provenance |  |
 | Test.java:55:35:55:42 | source(...) : Object | Test.java:55:21:55:42 | (...)... : InputStream | provenance |  |
 | Test.java:56:10:56:40 | new Scanner(...) : Scanner | Test.java:57:9:57:11 | out | provenance |  |
-| Test.java:56:22:56:23 | in : InputStream | Test.java:56:10:56:40 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:56:22:56:23 | in : InputStream | Test.java:56:10:56:40 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:62:21:62:42 | (...)... : InputStream | Test.java:63:22:63:23 | in : InputStream | provenance |  |
 | Test.java:62:35:62:42 | source(...) : Object | Test.java:62:21:62:42 | (...)... : InputStream | provenance |  |
 | Test.java:63:10:63:39 | new Scanner(...) : Scanner | Test.java:64:9:64:11 | out | provenance |  |
-| Test.java:63:22:63:23 | in : InputStream | Test.java:63:10:63:39 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:63:22:63:23 | in : InputStream | Test.java:63:10:63:39 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:69:14:69:28 | (...)... : Path | Test.java:70:22:70:23 | in : Path | provenance |  |
 | Test.java:69:21:69:28 | source(...) : Object | Test.java:69:14:69:28 | (...)... : Path | provenance |  |
 | Test.java:70:10:70:24 | new Scanner(...) : Scanner | Test.java:71:9:71:11 | out | provenance |  |
-| Test.java:70:22:70:23 | in : Path | Test.java:70:10:70:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:70:22:70:23 | in : Path | Test.java:70:10:70:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:76:14:76:28 | (...)... : Path | Test.java:77:22:77:23 | in : Path | provenance |  |
 | Test.java:76:21:76:28 | source(...) : Object | Test.java:76:14:76:28 | (...)... : Path | provenance |  |
 | Test.java:77:10:77:40 | new Scanner(...) : Scanner | Test.java:78:9:78:11 | out | provenance |  |
-| Test.java:77:22:77:23 | in : Path | Test.java:77:10:77:40 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:77:22:77:23 | in : Path | Test.java:77:10:77:40 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:83:14:83:28 | (...)... : Path | Test.java:84:22:84:23 | in : Path | provenance |  |
 | Test.java:83:21:83:28 | source(...) : Object | Test.java:83:14:83:28 | (...)... : Path | provenance |  |
 | Test.java:84:10:84:39 | new Scanner(...) : Scanner | Test.java:85:9:85:11 | out | provenance |  |
-| Test.java:84:22:84:23 | in : Path | Test.java:84:10:84:39 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:84:22:84:23 | in : Path | Test.java:84:10:84:39 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:90:18:90:36 | (...)... : Readable | Test.java:91:22:91:23 | in : Readable | provenance |  |
 | Test.java:90:29:90:36 | source(...) : Object | Test.java:90:18:90:36 | (...)... : Readable | provenance |  |
 | Test.java:91:10:91:24 | new Scanner(...) : Scanner | Test.java:92:9:92:11 | out | provenance |  |
-| Test.java:91:22:91:23 | in : Readable | Test.java:91:10:91:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:91:22:91:23 | in : Readable | Test.java:91:10:91:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:97:29:97:58 | (...)... : ReadableByteChannel | Test.java:98:22:98:23 | in : ReadableByteChannel | provenance |  |
 | Test.java:97:51:97:58 | source(...) : Object | Test.java:97:29:97:58 | (...)... : ReadableByteChannel | provenance |  |
 | Test.java:98:10:98:24 | new Scanner(...) : Scanner | Test.java:99:9:99:11 | out | provenance |  |
-| Test.java:98:22:98:23 | in : ReadableByteChannel | Test.java:98:10:98:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:98:22:98:23 | in : ReadableByteChannel | Test.java:98:10:98:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:104:29:104:58 | (...)... : ReadableByteChannel | Test.java:105:22:105:23 | in : ReadableByteChannel | provenance |  |
 | Test.java:104:51:104:58 | source(...) : Object | Test.java:104:29:104:58 | (...)... : ReadableByteChannel | provenance |  |
 | Test.java:105:10:105:40 | new Scanner(...) : Scanner | Test.java:106:9:106:11 | out | provenance |  |
-| Test.java:105:22:105:23 | in : ReadableByteChannel | Test.java:105:10:105:40 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:105:22:105:23 | in : ReadableByteChannel | Test.java:105:10:105:40 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:111:29:111:58 | (...)... : ReadableByteChannel | Test.java:112:22:112:23 | in : ReadableByteChannel | provenance |  |
 | Test.java:111:51:111:58 | source(...) : Object | Test.java:111:29:111:58 | (...)... : ReadableByteChannel | provenance |  |
 | Test.java:112:10:112:39 | new Scanner(...) : Scanner | Test.java:113:9:113:11 | out | provenance |  |
-| Test.java:112:22:112:23 | in : ReadableByteChannel | Test.java:112:10:112:39 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:112:22:112:23 | in : ReadableByteChannel | Test.java:112:10:112:39 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:118:16:118:32 | (...)... : String | Test.java:119:22:119:23 | in : String | provenance |  |
 | Test.java:118:25:118:32 | source(...) : Object | Test.java:118:16:118:32 | (...)... : String | provenance |  |
 | Test.java:119:10:119:24 | new Scanner(...) : Scanner | Test.java:120:9:120:11 | out | provenance |  |
-| Test.java:119:22:119:23 | in : String | Test.java:119:10:119:24 | new Scanner(...) : Scanner | provenance | MaD:2 |
+| Test.java:119:22:119:23 | in : String | Test.java:119:10:119:24 | new Scanner(...) : Scanner | provenance | MaD:1 |
 | Test.java:125:17:125:34 | (...)... : Scanner | Test.java:126:10:126:11 | in : Scanner | provenance |  |
 | Test.java:125:27:125:34 | source(...) : Object | Test.java:125:17:125:34 | (...)... : Scanner | provenance |  |
-| Test.java:126:10:126:11 | in : Scanner | Test.java:126:10:126:38 | findInLine(...) : String | provenance | MaD:3 |
+| Test.java:126:10:126:11 | in : Scanner | Test.java:126:10:126:38 | findInLine(...) : String | provenance | MaD:2 |
 | Test.java:126:10:126:38 | findInLine(...) : String | Test.java:127:9:127:11 | out | provenance |  |
 | Test.java:132:17:132:34 | (...)... : Scanner | Test.java:133:10:133:11 | in : Scanner | provenance |  |
 | Test.java:132:27:132:34 | source(...) : Object | Test.java:132:17:132:34 | (...)... : Scanner | provenance |  |
-| Test.java:133:10:133:11 | in : Scanner | Test.java:133:10:133:37 | findInLine(...) : String | provenance | MaD:3 |
+| Test.java:133:10:133:11 | in : Scanner | Test.java:133:10:133:37 | findInLine(...) : String | provenance | MaD:2 |
 | Test.java:133:10:133:37 | findInLine(...) : String | Test.java:134:9:134:11 | out | provenance |  |
 | Test.java:139:17:139:34 | (...)... : Scanner | Test.java:140:10:140:11 | in : Scanner | provenance |  |
 | Test.java:139:27:139:34 | source(...) : Object | Test.java:139:17:139:34 | (...)... : Scanner | provenance |  |
-| Test.java:140:10:140:11 | in : Scanner | Test.java:140:10:140:48 | findWithinHorizon(...) : String | provenance | MaD:4 |
+| Test.java:140:10:140:11 | in : Scanner | Test.java:140:10:140:48 | findWithinHorizon(...) : String | provenance | MaD:3 |
 | Test.java:140:10:140:48 | findWithinHorizon(...) : String | Test.java:141:9:141:11 | out | provenance |  |
 | Test.java:146:17:146:34 | (...)... : Scanner | Test.java:147:10:147:11 | in : Scanner | provenance |  |
 | Test.java:146:27:146:34 | source(...) : Object | Test.java:146:17:146:34 | (...)... : Scanner | provenance |  |
-| Test.java:147:10:147:11 | in : Scanner | Test.java:147:10:147:47 | findWithinHorizon(...) : String | provenance | MaD:4 |
+| Test.java:147:10:147:11 | in : Scanner | Test.java:147:10:147:47 | findWithinHorizon(...) : String | provenance | MaD:3 |
 | Test.java:147:10:147:47 | findWithinHorizon(...) : String | Test.java:148:9:148:11 | out | provenance |  |
 | Test.java:153:17:153:34 | (...)... : Scanner | Test.java:154:10:154:11 | in : Scanner | provenance |  |
 | Test.java:153:27:153:34 | source(...) : Object | Test.java:153:17:153:34 | (...)... : Scanner | provenance |  |
-| Test.java:154:10:154:11 | in : Scanner | Test.java:154:10:154:32 | next(...) : String | provenance | MaD:5 |
+| Test.java:154:10:154:11 | in : Scanner | Test.java:154:10:154:32 | next(...) : String | provenance | MaD:4 |
 | Test.java:154:10:154:32 | next(...) : String | Test.java:155:9:155:11 | out | provenance |  |
 | Test.java:160:17:160:34 | (...)... : Scanner | Test.java:161:10:161:11 | in : Scanner | provenance |  |
 | Test.java:160:27:160:34 | source(...) : Object | Test.java:160:17:160:34 | (...)... : Scanner | provenance |  |
-| Test.java:161:10:161:11 | in : Scanner | Test.java:161:10:161:31 | next(...) : String | provenance | MaD:5 |
+| Test.java:161:10:161:11 | in : Scanner | Test.java:161:10:161:31 | next(...) : String | provenance | MaD:4 |
 | Test.java:161:10:161:31 | next(...) : String | Test.java:162:9:162:11 | out | provenance |  |
 | Test.java:167:17:167:34 | (...)... : Scanner | Test.java:168:10:168:11 | in : Scanner | provenance |  |
 | Test.java:167:27:167:34 | source(...) : Object | Test.java:167:17:167:34 | (...)... : Scanner | provenance |  |
-| Test.java:168:10:168:11 | in : Scanner | Test.java:168:10:168:18 | next(...) : String | provenance | MaD:1 |
-| Test.java:168:10:168:11 | in : Scanner | Test.java:168:10:168:18 | next(...) : String | provenance | MaD:5 |
+| Test.java:168:10:168:11 | in : Scanner | Test.java:168:10:168:18 | next(...) : String | provenance | MaD:4 |
 | Test.java:168:10:168:18 | next(...) : String | Test.java:169:9:169:11 | out | provenance |  |
 | Test.java:174:17:174:34 | (...)... : Scanner | Test.java:175:10:175:11 | in : Scanner | provenance |  |
 | Test.java:174:27:174:34 | source(...) : Object | Test.java:174:17:174:34 | (...)... : Scanner | provenance |  |
-| Test.java:175:10:175:11 | in : Scanner | Test.java:175:10:175:28 | nextBigDecimal(...) : BigDecimal | provenance | MaD:6 |
+| Test.java:175:10:175:11 | in : Scanner | Test.java:175:10:175:28 | nextBigDecimal(...) : BigDecimal | provenance | MaD:5 |
 | Test.java:175:10:175:28 | nextBigDecimal(...) : BigDecimal | Test.java:176:9:176:11 | out | provenance |  |
 | Test.java:181:17:181:34 | (...)... : Scanner | Test.java:182:10:182:11 | in : Scanner | provenance |  |
 | Test.java:181:27:181:34 | source(...) : Object | Test.java:181:17:181:34 | (...)... : Scanner | provenance |  |
-| Test.java:182:10:182:11 | in : Scanner | Test.java:182:10:182:28 | nextBigInteger(...) : BigInteger | provenance | MaD:7 |
+| Test.java:182:10:182:11 | in : Scanner | Test.java:182:10:182:28 | nextBigInteger(...) : BigInteger | provenance | MaD:6 |
 | Test.java:182:10:182:28 | nextBigInteger(...) : BigInteger | Test.java:183:9:183:11 | out | provenance |  |
 | Test.java:188:17:188:34 | (...)... : Scanner | Test.java:189:10:189:11 | in : Scanner | provenance |  |
 | Test.java:188:27:188:34 | source(...) : Object | Test.java:188:17:188:34 | (...)... : Scanner | provenance |  |
-| Test.java:189:10:189:11 | in : Scanner | Test.java:189:10:189:29 | nextBigInteger(...) : BigInteger | provenance | MaD:7 |
+| Test.java:189:10:189:11 | in : Scanner | Test.java:189:10:189:29 | nextBigInteger(...) : BigInteger | provenance | MaD:6 |
 | Test.java:189:10:189:29 | nextBigInteger(...) : BigInteger | Test.java:190:9:190:11 | out | provenance |  |
 | Test.java:195:17:195:34 | (...)... : Scanner | Test.java:196:10:196:11 | in : Scanner | provenance |  |
 | Test.java:195:27:195:34 | source(...) : Object | Test.java:195:17:195:34 | (...)... : Scanner | provenance |  |
-| Test.java:196:10:196:11 | in : Scanner | Test.java:196:10:196:25 | nextBoolean(...) : Boolean | provenance | MaD:8 |
+| Test.java:196:10:196:11 | in : Scanner | Test.java:196:10:196:25 | nextBoolean(...) : Boolean | provenance | MaD:7 |
 | Test.java:196:10:196:25 | nextBoolean(...) : Boolean | Test.java:197:9:197:11 | out | provenance |  |
 | Test.java:202:17:202:34 | (...)... : Scanner | Test.java:203:10:203:11 | in : Scanner | provenance |  |
 | Test.java:202:27:202:34 | source(...) : Object | Test.java:202:17:202:34 | (...)... : Scanner | provenance |  |
-| Test.java:203:10:203:11 | in : Scanner | Test.java:203:10:203:22 | nextByte(...) : Number | provenance | MaD:9 |
+| Test.java:203:10:203:11 | in : Scanner | Test.java:203:10:203:22 | nextByte(...) : Number | provenance | MaD:8 |
 | Test.java:203:10:203:22 | nextByte(...) : Number | Test.java:204:9:204:11 | out | provenance |  |
 | Test.java:209:17:209:34 | (...)... : Scanner | Test.java:210:10:210:11 | in : Scanner | provenance |  |
 | Test.java:209:27:209:34 | source(...) : Object | Test.java:209:17:209:34 | (...)... : Scanner | provenance |  |
-| Test.java:210:10:210:11 | in : Scanner | Test.java:210:10:210:23 | nextByte(...) : Number | provenance | MaD:9 |
+| Test.java:210:10:210:11 | in : Scanner | Test.java:210:10:210:23 | nextByte(...) : Number | provenance | MaD:8 |
 | Test.java:210:10:210:23 | nextByte(...) : Number | Test.java:211:9:211:11 | out | provenance |  |
 | Test.java:216:17:216:34 | (...)... : Scanner | Test.java:217:10:217:11 | in : Scanner | provenance |  |
 | Test.java:216:27:216:34 | source(...) : Object | Test.java:216:17:216:34 | (...)... : Scanner | provenance |  |
-| Test.java:217:10:217:11 | in : Scanner | Test.java:217:10:217:24 | nextDouble(...) : Number | provenance | MaD:10 |
+| Test.java:217:10:217:11 | in : Scanner | Test.java:217:10:217:24 | nextDouble(...) : Number | provenance | MaD:9 |
 | Test.java:217:10:217:24 | nextDouble(...) : Number | Test.java:218:9:218:11 | out | provenance |  |
 | Test.java:223:17:223:34 | (...)... : Scanner | Test.java:224:10:224:11 | in : Scanner | provenance |  |
 | Test.java:223:27:223:34 | source(...) : Object | Test.java:223:17:223:34 | (...)... : Scanner | provenance |  |
-| Test.java:224:10:224:11 | in : Scanner | Test.java:224:10:224:23 | nextFloat(...) : Number | provenance | MaD:11 |
+| Test.java:224:10:224:11 | in : Scanner | Test.java:224:10:224:23 | nextFloat(...) : Number | provenance | MaD:10 |
 | Test.java:224:10:224:23 | nextFloat(...) : Number | Test.java:225:9:225:11 | out | provenance |  |
 | Test.java:230:17:230:34 | (...)... : Scanner | Test.java:231:10:231:11 | in : Scanner | provenance |  |
 | Test.java:230:27:230:34 | source(...) : Object | Test.java:230:17:230:34 | (...)... : Scanner | provenance |  |
-| Test.java:231:10:231:11 | in : Scanner | Test.java:231:10:231:21 | nextInt(...) : Number | provenance | MaD:12 |
+| Test.java:231:10:231:11 | in : Scanner | Test.java:231:10:231:21 | nextInt(...) : Number | provenance | MaD:11 |
 | Test.java:231:10:231:21 | nextInt(...) : Number | Test.java:232:9:232:11 | out | provenance |  |
 | Test.java:237:17:237:34 | (...)... : Scanner | Test.java:238:10:238:11 | in : Scanner | provenance |  |
 | Test.java:237:27:237:34 | source(...) : Object | Test.java:237:17:237:34 | (...)... : Scanner | provenance |  |
-| Test.java:238:10:238:11 | in : Scanner | Test.java:238:10:238:22 | nextInt(...) : Number | provenance | MaD:12 |
+| Test.java:238:10:238:11 | in : Scanner | Test.java:238:10:238:22 | nextInt(...) : Number | provenance | MaD:11 |
 | Test.java:238:10:238:22 | nextInt(...) : Number | Test.java:239:9:239:11 | out | provenance |  |
 | Test.java:244:17:244:34 | (...)... : Scanner | Test.java:245:10:245:11 | in : Scanner | provenance |  |
 | Test.java:244:27:244:34 | source(...) : Object | Test.java:244:17:244:34 | (...)... : Scanner | provenance |  |
-| Test.java:245:10:245:11 | in : Scanner | Test.java:245:10:245:22 | nextLine(...) : String | provenance | MaD:13 |
+| Test.java:245:10:245:11 | in : Scanner | Test.java:245:10:245:22 | nextLine(...) : String | provenance | MaD:12 |
 | Test.java:245:10:245:22 | nextLine(...) : String | Test.java:246:9:246:11 | out | provenance |  |
 | Test.java:251:17:251:34 | (...)... : Scanner | Test.java:252:10:252:11 | in : Scanner | provenance |  |
 | Test.java:251:27:251:34 | source(...) : Object | Test.java:251:17:251:34 | (...)... : Scanner | provenance |  |
-| Test.java:252:10:252:11 | in : Scanner | Test.java:252:10:252:22 | nextLong(...) : Number | provenance | MaD:14 |
+| Test.java:252:10:252:11 | in : Scanner | Test.java:252:10:252:22 | nextLong(...) : Number | provenance | MaD:13 |
 | Test.java:252:10:252:22 | nextLong(...) : Number | Test.java:253:9:253:11 | out | provenance |  |
 | Test.java:258:17:258:34 | (...)... : Scanner | Test.java:259:10:259:11 | in : Scanner | provenance |  |
 | Test.java:258:27:258:34 | source(...) : Object | Test.java:258:17:258:34 | (...)... : Scanner | provenance |  |
-| Test.java:259:10:259:11 | in : Scanner | Test.java:259:10:259:23 | nextLong(...) : Number | provenance | MaD:14 |
+| Test.java:259:10:259:11 | in : Scanner | Test.java:259:10:259:23 | nextLong(...) : Number | provenance | MaD:13 |
 | Test.java:259:10:259:23 | nextLong(...) : Number | Test.java:260:9:260:11 | out | provenance |  |
 | Test.java:265:17:265:34 | (...)... : Scanner | Test.java:266:10:266:11 | in : Scanner | provenance |  |
 | Test.java:265:27:265:34 | source(...) : Object | Test.java:265:17:265:34 | (...)... : Scanner | provenance |  |
-| Test.java:266:10:266:11 | in : Scanner | Test.java:266:10:266:23 | nextShort(...) : Number | provenance | MaD:15 |
+| Test.java:266:10:266:11 | in : Scanner | Test.java:266:10:266:23 | nextShort(...) : Number | provenance | MaD:14 |
 | Test.java:266:10:266:23 | nextShort(...) : Number | Test.java:267:9:267:11 | out | provenance |  |
 | Test.java:272:17:272:34 | (...)... : Scanner | Test.java:273:10:273:11 | in : Scanner | provenance |  |
 | Test.java:272:27:272:34 | source(...) : Object | Test.java:272:17:272:34 | (...)... : Scanner | provenance |  |
-| Test.java:273:10:273:11 | in : Scanner | Test.java:273:10:273:24 | nextShort(...) : Number | provenance | MaD:15 |
+| Test.java:273:10:273:11 | in : Scanner | Test.java:273:10:273:24 | nextShort(...) : Number | provenance | MaD:14 |
 | Test.java:273:10:273:24 | nextShort(...) : Number | Test.java:274:9:274:11 | out | provenance |  |
 | Test.java:279:17:279:34 | (...)... : Scanner | Test.java:280:10:280:11 | in : Scanner | provenance |  |
 | Test.java:279:27:279:34 | source(...) : Object | Test.java:279:17:279:34 | (...)... : Scanner | provenance |  |
-| Test.java:280:10:280:11 | in : Scanner | Test.java:280:10:280:19 | reset(...) : Scanner | provenance | MaD:16 |
+| Test.java:280:10:280:11 | in : Scanner | Test.java:280:10:280:19 | reset(...) : Scanner | provenance | MaD:15 |
 | Test.java:280:10:280:19 | reset(...) : Scanner | Test.java:281:9:281:11 | out | provenance |  |
 | Test.java:286:17:286:34 | (...)... : Scanner | Test.java:287:10:287:11 | in : Scanner | provenance |  |
 | Test.java:286:27:286:34 | source(...) : Object | Test.java:286:17:286:34 | (...)... : Scanner | provenance |  |
-| Test.java:287:10:287:11 | in : Scanner | Test.java:287:10:287:32 | skip(...) : Scanner | provenance | MaD:17 |
+| Test.java:287:10:287:11 | in : Scanner | Test.java:287:10:287:32 | skip(...) : Scanner | provenance | MaD:16 |
 | Test.java:287:10:287:32 | skip(...) : Scanner | Test.java:288:9:288:11 | out | provenance |  |
 | Test.java:293:17:293:34 | (...)... : Scanner | Test.java:294:10:294:11 | in : Scanner | provenance |  |
 | Test.java:293:27:293:34 | source(...) : Object | Test.java:293:17:293:34 | (...)... : Scanner | provenance |  |
-| Test.java:294:10:294:11 | in : Scanner | Test.java:294:10:294:31 | skip(...) : Scanner | provenance | MaD:17 |
+| Test.java:294:10:294:11 | in : Scanner | Test.java:294:10:294:31 | skip(...) : Scanner | provenance | MaD:16 |
 | Test.java:294:10:294:31 | skip(...) : Scanner | Test.java:295:9:295:11 | out | provenance |  |
 | Test.java:300:17:300:34 | (...)... : Scanner | Test.java:301:10:301:11 | in : Scanner | provenance |  |
 | Test.java:300:27:300:34 | source(...) : Object | Test.java:300:17:300:34 | (...)... : Scanner | provenance |  |
-| Test.java:301:10:301:11 | in : Scanner | Test.java:301:10:301:40 | useDelimiter(...) : Scanner | provenance | MaD:18 |
+| Test.java:301:10:301:11 | in : Scanner | Test.java:301:10:301:40 | useDelimiter(...) : Scanner | provenance | MaD:17 |
 | Test.java:301:10:301:40 | useDelimiter(...) : Scanner | Test.java:302:9:302:11 | out | provenance |  |
 | Test.java:307:17:307:34 | (...)... : Scanner | Test.java:308:10:308:11 | in : Scanner | provenance |  |
 | Test.java:307:27:307:34 | source(...) : Object | Test.java:307:17:307:34 | (...)... : Scanner | provenance |  |
-| Test.java:308:10:308:11 | in : Scanner | Test.java:308:10:308:39 | useDelimiter(...) : Scanner | provenance | MaD:18 |
+| Test.java:308:10:308:11 | in : Scanner | Test.java:308:10:308:39 | useDelimiter(...) : Scanner | provenance | MaD:17 |
 | Test.java:308:10:308:39 | useDelimiter(...) : Scanner | Test.java:309:9:309:11 | out | provenance |  |
 | Test.java:314:17:314:34 | (...)... : Scanner | Test.java:315:10:315:11 | in : Scanner | provenance |  |
 | Test.java:314:27:314:34 | source(...) : Object | Test.java:314:17:314:34 | (...)... : Scanner | provenance |  |
-| Test.java:315:10:315:11 | in : Scanner | Test.java:315:10:315:27 | useLocale(...) : Scanner | provenance | MaD:19 |
+| Test.java:315:10:315:11 | in : Scanner | Test.java:315:10:315:27 | useLocale(...) : Scanner | provenance | MaD:18 |
 | Test.java:315:10:315:27 | useLocale(...) : Scanner | Test.java:316:9:316:11 | out | provenance |  |
 | Test.java:321:17:321:34 | (...)... : Scanner | Test.java:322:10:322:11 | in : Scanner | provenance |  |
 | Test.java:321:27:321:34 | source(...) : Object | Test.java:321:17:321:34 | (...)... : Scanner | provenance |  |
-| Test.java:322:10:322:11 | in : Scanner | Test.java:322:10:322:23 | useRadix(...) : Scanner | provenance | MaD:20 |
+| Test.java:322:10:322:11 | in : Scanner | Test.java:322:10:322:23 | useRadix(...) : Scanner | provenance | MaD:19 |
 | Test.java:322:10:322:23 | useRadix(...) : Scanner | Test.java:323:9:323:11 | out | provenance |  |
 nodes
 | Test.java:27:14:27:28 | (...)... : File | semmle.label | (...)... : File |
--- a/javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/javascript/ql/lib/semmle/javascript/dataflow/FlowSummary.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/FlowSummary.qll
@@ -8,78 +8,94 @@ private import semmle.javascript.dataflow.internal.FlowSummaryPrivate
 private import semmle.javascript.dataflow.internal.sharedlib.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.javascript.dataflow.internal.DataFlowPrivate

-/**
- * A model for a function that can propagate data flow.
- *
- * This class makes it possible to model flow through functions, using the same mechanism as
- * `summaryModel` as described in the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript).
- *
- * Extend this class to define summary models directly in CodeQL.
- * Data extensions and `summaryModel` are usually preferred; but there are a few cases where direct use of this class may be needed:
- *
- * - The relevant call sites cannot be matched by the access path syntax, and require the full power of CodeQL.
- *   For example, complex overloading patterns might require more local reasoning at the call site.
- * - The input/output behavior cannot be described statically in the access path syntax, but the relevant access paths
- *   can be generated dynamically in CodeQL, based on the usages found in the codebase.
- *
- * Subclasses should bind `this` to a unique identifier for the function being modeled. There is no special
- * interpreation of the `this` value, it should just not clash with the `this`-value used by other classes.
- *
- * For example, this models flow through calls such as `require("my-library").myFunction()`:
- * ```codeql
- * class MyFunction extends SummarizedCallable {
- *   MyFunction() { this = "MyFunction" }
- *
- *   override predicate propagatesFlow(string input, string output, boolean preservesValues) {
- *     input = "Argument[0]" and
- *     output = "ReturnValue" and
- *     preservesValue = false
- *   }
- *
- *   override DataFlow::InvokeNode getACall() {
- *     result = API::moduleImport("my-library").getMember("myFunction").getACall()
- *   }
- * }
- * ```
- * This would be equivalent to the following model written as a data extension:
- * ```yaml
- * extensions:
- *  - addsTo:
- *      pack: codeql/javascript-all
- *      extensible: summaryModel
- *    data:
- *      - ["my-library", "Member[myFunction]", "Argument[0]", "ReturnValue", "taint"]
- * ```
- */
-abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable {
-  bindingset[this]
-  SummarizedCallable() { any() }
+class Provenance = Impl::Public::Provenance;

+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
  /**
-   * Holds if data may flow from `input` to `output` through this callable.
+   * A model for a function that can propagate data flow.
   *
-   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+   * This class makes it possible to model flow through functions, using the same mechanism as
+   * `summaryModel` as described in the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript).
   *
-   * See the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript) for
-   * the syntax of the `input` and `output` parameters.
+   * Extend this class to define summary models directly in CodeQL.
+   * Data extensions and `summaryModel` are usually preferred; but there are a few cases where direct use of this class may be needed:
+   *
+   * - The relevant call sites cannot be matched by the access path syntax, and require the full power of CodeQL.
+   *   For example, complex overloading patterns might require more local reasoning at the call site.
+   * - The input/output behavior cannot be described statically in the access path syntax, but the relevant access paths
+   *   can be generated dynamically in CodeQL, based on the usages found in the codebase.
+   *
+   * Subclasses should bind `this` to a unique identifier for the function being modeled. There is no special
+   * interpreation of the `this` value, it should just not clash with the `this`-value used by other classes.
+   *
+   * For example, this models flow through calls such as `require("my-library").myFunction()`:
+   * ```codeql
+   * class MyFunction extends SummarizedCallable::Range {
+   *   MyFunction() { this = "MyFunction" }
+   *
+   *   override predicate propagatesFlow(string input, string output, boolean preservesValues) {
+   *     input = "Argument[0]" and
+   *     output = "ReturnValue" and
+   *     preservesValue = false
+   *   }
+   *
+   *   override DataFlow::InvokeNode getACall() {
+   *     result = API::moduleImport("my-library").getMember("myFunction").getACall()
+   *   }
+   * }
+   * ```
+   * This would be equivalent to the following model written as a data extension:
+   * ```yaml
+   * extensions:
+   *  - addsTo:
+   *      pack: codeql/javascript-all
+   *      extensible: summaryModel
+   *    data:
+   *      - ["my-library", "Member[myFunction]", "Argument[0]", "ReturnValue", "taint"]
+   * ```
   */
-  pragma[nomagic]
-  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
+  abstract class Range extends LibraryCallable, Impl::Public::SummarizedCallable {
+    bindingset[this]
+    Range() { any() }

-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
-  ) {
-    this.propagatesFlow(input, output, preservesValue) and model = this
-  }
+    /**
+     * Holds if data may flow from `input` to `output` through this callable.
+     *
+     * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+     *
+     * See the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript) for
+     * the syntax of the `input` and `output` parameters.
+     */
+    pragma[nomagic]
+    predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }

-  /**
-   * Gets the synthesized parameter that results from an input specification
-   * that starts with `Argument[s]` for this library callable.
-   */
-  DataFlow::ParameterNode getParameter(string s) {
-    exists(ParameterPosition pos |
-      DataFlowImplCommon::parameterNode(result, MkLibraryCallable(this), pos) and
-      s = encodeParameterPosition(pos)
-    )
+    override predicate propagatesFlow(
+      string input, string output, boolean preservesValue, Provenance provenance, boolean isExact,
+      string model
+    ) {
+      this.propagatesFlow(input, output, preservesValue) and
+      provenance = "manual" and
+      model = this and
+      isExact = true
+    }
+
+    /**
+     * Gets the synthesized parameter that results from an input specification
+     * that starts with `Argument[s]` for this library callable.
+     */
+    DataFlow::ParameterNode getParameter(string s) {
+      exists(ParameterPosition pos |
+        DataFlowImplCommon::parameterNode(result, MkLibraryCallable(this), pos) and
+        s = encodeParameterPosition(pos)
+      )
+    }
  }
 }
+
+final private class SummarizedCallableFinal = SummarizedCallable::Range;
+
+/** A model for a function that can propagate data flow. */
+final class SummarizedCallable extends SummarizedCallableFinal,
+  Impl::Public::RelevantSummarizedCallable
+{ }
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll
@@ -28,6 +28,9 @@ module JSFlowSummary implements FlowSummaryImpl::InputSig<Location, JSDataFlow>
  private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
  import FlowSummaryPrivate

+  overlay[local]
+  predicate callableFromSource(SummarizedCallableBase c) { none() }
+
  // Explicitly implement signature members that have a default
  predicate callbackSelfParameterPosition = FlowSummaryPrivate::callbackSelfParameterPosition/0;

--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/SummaryTypeTracker.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/SummaryTypeTracker.qll
@@ -69,7 +69,7 @@ private module SummaryFlowConfig implements Input {
    predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
    ) {
-      super.propagatesFlow(input, output, preservesValue, _)
+      super.propagatesFlow(input, output, preservesValue, _, _, _)
    }

    string toString() { result = super.toString() }
--- a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
@@ -173,7 +173,7 @@ module AsyncPackage {
  }

  overlay[local?]
-  private class IterationCallFlowSummary extends DataFlow::SummarizedCallable {
+  private class IterationCallFlowSummary extends DataFlow::SummarizedCallable::Range {
    private int callbackArgIndex;

    IterationCallFlowSummary() {
@@ -221,7 +221,7 @@ module AsyncPackage {
   * For example: `data -> result` in `async.sortBy(data, orderingFn, (err, result) => {})`.
   */
  overlay[local?]
-  private class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable {
+  private class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable::Range {
    IterationPreserveTaintStepFlowSummary() { this = "async.sortBy" }

    override DataFlow::InvokeNode getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
@@ -186,7 +186,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashEach extends DataFlow::SummarizedCallable {
+  private class LodashEach extends DataFlow::SummarizedCallable::Range {
    LodashEach() { this = "_.each-like" }

    overlay[global]
@@ -202,7 +202,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashMap extends DataFlow::SummarizedCallable {
+  private class LodashMap extends DataFlow::SummarizedCallable::Range {
    LodashMap() { this = "_.map" }

    overlay[global]
@@ -221,7 +221,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashFlatMap extends DataFlow::SummarizedCallable {
+  private class LodashFlatMap extends DataFlow::SummarizedCallable::Range {
    LodashFlatMap() { this = "_.flatMap" }

    overlay[global]
@@ -243,7 +243,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashFlatMapDeep extends DataFlow::SummarizedCallable {
+  private class LodashFlatMapDeep extends DataFlow::SummarizedCallable::Range {
    LodashFlatMapDeep() { this = "_.flatMapDeep" }

    overlay[global]
@@ -267,7 +267,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashReduce extends DataFlow::SummarizedCallable {
+  private class LodashReduce extends DataFlow::SummarizedCallable::Range {
    LodashReduce() { this = "_.reduce-like" }

    overlay[global]
@@ -286,7 +286,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LoashSortBy extends DataFlow::SummarizedCallable {
+  private class LoashSortBy extends DataFlow::SummarizedCallable::Range {
    LoashSortBy() { this = "_.sortBy-like" }

    overlay[global]
@@ -304,7 +304,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashMinMaxBy extends DataFlow::SummarizedCallable {
+  private class LodashMinMaxBy extends DataFlow::SummarizedCallable::Range {
    LodashMinMaxBy() { this = "_.minBy / _.maxBy" }

    overlay[global]
@@ -318,7 +318,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashPartition extends DataFlow::SummarizedCallable {
+  private class LodashPartition extends DataFlow::SummarizedCallable::Range {
    LodashPartition() { this = "_.partition" }

    overlay[global]
@@ -332,7 +332,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class UnderscoreMapObject extends DataFlow::SummarizedCallable {
+  private class UnderscoreMapObject extends DataFlow::SummarizedCallable::Range {
    UnderscoreMapObject() { this = "_.mapObject" }

    overlay[global]
@@ -353,7 +353,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashTap extends DataFlow::SummarizedCallable {
+  private class LodashTap extends DataFlow::SummarizedCallable::Range {
    LodashTap() { this = "_.tap" }

    overlay[global]
@@ -367,7 +367,7 @@ module LodashUnderscore {
  }

  overlay[local?]
-  private class LodashGroupBy extends DataFlow::SummarizedCallable {
+  private class LodashGroupBy extends DataFlow::SummarizedCallable::Range {
    LodashGroupBy() { this = "_.groupBy" }

    override DataFlow::CallNode getACall() { result = member("groupBy").getACall() }
--- a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
@@ -423,7 +423,7 @@ private module ClosureLibraryUri {
 }

 overlay[local?]
-private class QueryStringStringification extends DataFlow::SummarizedCallable {
+private class QueryStringStringification extends DataFlow::SummarizedCallable::Range {
  QueryStringStringification() { this = "query-string stringification" }

  overlay[global]
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
@@ -49,7 +49,7 @@ private class ThreatModelSourceFromDataExtension extends ThreatModelSource::Rang
 }

 overlay[local?]
-private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable {
+private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable::Range {
  string type;
  string path;

@@ -62,9 +62,14 @@ private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable {
  override DataFlow::InvokeNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, DataFlow::Provenance provenance,
+    boolean isExact, string model
  ) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) |
+    exists(string kind |
+      ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) and
+      provenance = "manual" and
+      isExact = true
+    |
      kind = "value" and
      preservesValue = true
      or
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/AmbiguousCoreMethods.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/AmbiguousCoreMethods.qll
@@ -29,7 +29,7 @@ private import semmle.javascript.dataflow.FlowSummary
 private import Arrays
 private import FlowSummaryUtil

-class At extends SummarizedCallable {
+class At extends SummarizedCallable::Range {
  At() { this = "Array#at / String#at" }

  override InstanceCall getACallSimple() { result.getMethodName() = "at" }
@@ -43,7 +43,7 @@ class At extends SummarizedCallable {
  }
 }

-class Concat extends SummarizedCallable {
+class Concat extends SummarizedCallable::Range {
  Concat() { this = "Array#concat / String#concat / Buffer.concat" }

  override InstanceCall getACallSimple() { result.getMethodName() = "concat" }
@@ -62,7 +62,7 @@ class Concat extends SummarizedCallable {
  }
 }

-class Slice extends SummarizedCallable {
+class Slice extends SummarizedCallable::Range {
  Slice() { this = "Array#slice / String#slice" }

  override InstanceCall getACallSimple() { result.getMethodName() = "slice" }
@@ -78,7 +78,7 @@ class Slice extends SummarizedCallable {
  }
 }

-class Entries extends SummarizedCallable {
+class Entries extends SummarizedCallable::Range {
  Entries() { this = "Array#entries / Map#entries / Set#entries" }

  override InstanceCall getACall() {
@@ -98,7 +98,7 @@ class Entries extends SummarizedCallable {
  }
 }

-class ForEach extends SummarizedCallable {
+class ForEach extends SummarizedCallable::Range {
  ForEach() { this = "Array#forEach / Map#forEach / Set#forEach" }

  override InstanceCall getACallSimple() { result.getMethodName() = "forEach" }
@@ -126,7 +126,7 @@ class ForEach extends SummarizedCallable {
  }
 }

-class Keys extends SummarizedCallable {
+class Keys extends SummarizedCallable::Range {
  Keys() { this = "Array#keys / Map#keys / Set#keys" }

  override InstanceCall getACallSimple() {
@@ -141,7 +141,7 @@ class Keys extends SummarizedCallable {
  }
 }

-class Values extends SummarizedCallable {
+class Values extends SummarizedCallable::Range {
  Values() { this = "Array#values / Map#values / Set#values" }

  override InstanceCall getACallSimple() {
@@ -156,7 +156,7 @@ class Values extends SummarizedCallable {
  }
 }

-class ToString extends SummarizedCallable {
+class ToString extends SummarizedCallable::Range {
  ToString() { this = "Object#toString / Array#toString" }

  override InstanceCall getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
@@ -94,7 +94,7 @@ class DynamicArrayStoreStep extends DataFlow::AdditionalFlowStep {
  }
 }

-class ArrayConstructorSummary extends SummarizedCallable {
+class ArrayConstructorSummary extends SummarizedCallable::Range {
  ArrayConstructorSummary() { this = "Array constructor" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -118,7 +118,7 @@ class ArrayConstructorSummary extends SummarizedCallable {
 *
 * Calls without separators are modeled in `StringConcatenation.qll`.
 */
-class Join extends SummarizedCallable {
+class Join extends SummarizedCallable::Range {
  Join() { this = "Array#join" }

  override InstanceCall getACallSimple() {
@@ -133,7 +133,7 @@ class Join extends SummarizedCallable {
  }
 }

-class CopyWithin extends SummarizedCallable {
+class CopyWithin extends SummarizedCallable::Range {
  CopyWithin() { this = "Array#copyWithin" }

  override InstanceCall getACallSimple() { result.getMethodName() = "copyWithin" }
@@ -150,7 +150,7 @@ class CopyWithin extends SummarizedCallable {
  }
 }

-class FlowIntoCallback extends SummarizedCallable {
+class FlowIntoCallback extends SummarizedCallable::Range {
  FlowIntoCallback() { this = "Array method with flow into callback" }

  override InstanceCall getACallSimple() {
@@ -169,7 +169,7 @@ class FlowIntoCallback extends SummarizedCallable {
  }
 }

-class Filter extends SummarizedCallable {
+class Filter extends SummarizedCallable::Range {
  Filter() { this = "Array#filter" }

  override InstanceCall getACallSimple() { result.getMethodName() = "filter" }
@@ -196,7 +196,7 @@ class Filter extends SummarizedCallable {
  }
 }

-class Fill extends SummarizedCallable {
+class Fill extends SummarizedCallable::Range {
  Fill() { this = "Array#fill" } // TODO: clear contents if no interval is given

  override InstanceCall getACallSimple() { result.getMethodName() = "fill" }
@@ -208,7 +208,7 @@ class Fill extends SummarizedCallable {
  }
 }

-class FindLike extends SummarizedCallable {
+class FindLike extends SummarizedCallable::Range {
  FindLike() { this = "Array#find / Array#findLast" }

  override InstanceCall getACallSimple() { result.getMethodName() = ["find", "findLast"] }
@@ -225,7 +225,7 @@ class FindLike extends SummarizedCallable {
  }
 }

-class FindLibrary extends SummarizedCallable {
+class FindLibrary extends SummarizedCallable::Range {
  FindLibrary() { this = "'array.prototype.find' / 'array-find'" }

  override DataFlow::CallNode getACallSimple() {
@@ -244,7 +244,7 @@ class FindLibrary extends SummarizedCallable {
  }
 }

-class Flat extends SummarizedCallable {
+class Flat extends SummarizedCallable::Range {
  private int depth;

  Flat() { this = "Array#flat(" + depth + ")" and depth in [1 .. 3] }
@@ -275,7 +275,7 @@ class Flat extends SummarizedCallable {
  }
 }

-class FlatMap extends SummarizedCallable {
+class FlatMap extends SummarizedCallable::Range {
  FlatMap() { this = "Array#flatMap" }

  override InstanceCall getACallSimple() { result.getMethodName() = "flatMap" }
@@ -305,7 +305,7 @@ private DataFlow::CallNode arrayFromCall() {
  result = DataFlow::moduleImport("array-from").getACall()
 }

-class From1Arg extends SummarizedCallable {
+class From1Arg extends SummarizedCallable::Range {
  From1Arg() { this = "Array.from(arg)" }

  override DataFlow::CallNode getACallSimple() {
@@ -338,7 +338,7 @@ class From1Arg extends SummarizedCallable {
  }
 }

-class FromManyArg extends SummarizedCallable {
+class FromManyArg extends SummarizedCallable::Range {
  FromManyArg() { this = "Array.from(arg, callback, [thisArg])" }

  override DataFlow::CallNode getACallSimple() {
@@ -370,7 +370,7 @@ class FromManyArg extends SummarizedCallable {
  }
 }

-class Map extends SummarizedCallable {
+class Map extends SummarizedCallable::Range {
  Map() { this = "Array#map" }

  override InstanceCall getACallSimple() {
@@ -398,7 +398,7 @@ class Map extends SummarizedCallable {
  }
 }

-class Of extends SummarizedCallable {
+class Of extends SummarizedCallable::Range {
  Of() { this = "Array.of" }

  override DataFlow::CallNode getACallSimple() {
@@ -412,7 +412,7 @@ class Of extends SummarizedCallable {
  }
 }

-class Pop extends SummarizedCallable {
+class Pop extends SummarizedCallable::Range {
  Pop() { this = "Array#pop" }

  override InstanceCall getACallSimple() { result.getMethodName() = "pop" }
@@ -424,7 +424,7 @@ class Pop extends SummarizedCallable {
  }
 }

-class PushLike extends SummarizedCallable {
+class PushLike extends SummarizedCallable::Range {
  PushLike() { this = "Array#push / Array#unshift" }

  override InstanceCall getACallSimple() { result.getMethodName() = ["push", "unshift"] }
@@ -436,7 +436,7 @@ class PushLike extends SummarizedCallable {
  }
 }

-class ReduceLike extends SummarizedCallable {
+class ReduceLike extends SummarizedCallable::Range {
  ReduceLike() { this = "Array#reduce / Array#reduceRight" }

  override InstanceCall getACallSimple() { result.getMethodName() = ["reduce", "reduceRight"] }
@@ -465,7 +465,7 @@ class ReduceLike extends SummarizedCallable {
  }
 }

-class Reverse extends SummarizedCallable {
+class Reverse extends SummarizedCallable::Range {
  Reverse() { this = "Array#reverse / Array#toReversed" }

  override InstanceCall getACallSimple() { result.getMethodName() = ["reverse", "toReversed"] }
@@ -477,7 +477,7 @@ class Reverse extends SummarizedCallable {
  }
 }

-class Shift extends SummarizedCallable {
+class Shift extends SummarizedCallable::Range {
  Shift() { this = "Array#shift" }

  override InstanceCall getACallSimple() { result.getMethodName() = "shift" }
@@ -495,7 +495,7 @@ class Shift extends SummarizedCallable {
  }
 }

-class Sort extends SummarizedCallable {
+class Sort extends SummarizedCallable::Range {
  Sort() { this = "Array#sort / Array#toSorted" }

  override InstanceCall getACallSimple() { result.getMethodName() = ["sort", "toSorted"] }
@@ -512,7 +512,7 @@ class Sort extends SummarizedCallable {
  }
 }

-class Splice extends SummarizedCallable {
+class Splice extends SummarizedCallable::Range {
  Splice() { this = "Array#splice" }

  override InstanceCall getACallSimple() { result.getMethodName() = "splice" }
@@ -529,7 +529,7 @@ class Splice extends SummarizedCallable {
  }
 }

-class ToSpliced extends SummarizedCallable {
+class ToSpliced extends SummarizedCallable::Range {
  ToSpliced() { this = "Array#toSpliced" }

  override InstanceCall getACallSimple() { result.getMethodName() = "toSpliced" }
@@ -546,7 +546,7 @@ class ToSpliced extends SummarizedCallable {
  }
 }

-class With extends SummarizedCallable {
+class With extends SummarizedCallable::Range {
  With() { this = "Array#with" }

  override InstanceCall getACallSimple() { result.getMethodName() = "with" }
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll
@@ -16,7 +16,7 @@ private class TextDecoderEntryPoint extends API::EntryPoint {
 pragma[nomagic]
 API::Node textDecoderConstructorRef() { result = any(TextDecoderEntryPoint e).getANode() }

-class Decode extends SummarizedCallable {
+class Decode extends SummarizedCallable::Range {
  Decode() { this = "TextDecoder#decode" }

  override InstanceCall getACall() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/ExceptionFlow.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/ExceptionFlow.qll
@@ -29,7 +29,7 @@ private predicate isCallback(DataFlow::SourceNode node) {
 * See also `FlowSummaryDefaultExceptionalReturn`, which handles calls that have a summary target,
 * but where the summary does not mention `ReturnValue[exception]`.
 */
-private class ExceptionFlowSummary extends SummarizedCallable, LibraryCallableInternal {
+private class ExceptionFlowSummary extends SummarizedCallable::Range, LibraryCallableInternal {
  ExceptionFlowSummary() { this = "Exception propagator" }

  override DataFlow::CallNode getACallStage2() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/FlowSummaryUtil.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/FlowSummaryUtil.qll
@@ -20,7 +20,7 @@ class InstanceCall extends DataFlow::CallNode {
 /**
 * A summary a function that is the default export from an NPM package.
 */
-abstract class FunctionalPackageSummary extends SummarizedCallable {
+abstract class FunctionalPackageSummary extends SummarizedCallable::Range {
  bindingset[this]
  FunctionalPackageSummary() { any() }

--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Iterators.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Iterators.qll
@@ -10,7 +10,7 @@ private import semmle.javascript.dataflow.FlowSummary
 private import semmle.javascript.dataflow.internal.AdditionalFlowInternal
 private import FlowSummaryUtil

-class IteratorNext extends SummarizedCallable {
+class IteratorNext extends SummarizedCallable::Range {
  IteratorNext() { this = "Iterator#next" }

  override DataFlow::MethodCallNode getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/JsonStringify.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/JsonStringify.qll
@@ -9,7 +9,7 @@ private import FlowSummaryUtil
 private import semmle.javascript.dataflow.internal.AdditionalFlowInternal
 private import semmle.javascript.dataflow.FlowSummary

-private class JsonStringifySummary extends SummarizedCallable {
+private class JsonStringifySummary extends SummarizedCallable::Range {
  JsonStringifySummary() { this = "JSON.stringify" }

  override DataFlow::InvokeNode getACall() { result instanceof JsonStringifyCall }
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Maps.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Maps.qll
@@ -10,7 +10,7 @@ private import FlowSummaryUtil

 private DataFlow::SourceNode mapConstructorRef() { result = DataFlow::globalVarRef("Map") }

-class MapConstructor extends SummarizedCallable {
+class MapConstructor extends SummarizedCallable::Range {
  MapConstructor() { this = "Map constructor" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -80,7 +80,7 @@ class MapSetStep extends DataFlow::AdditionalFlowStep {
  }
 }

-class MapGet extends SummarizedCallable {
+class MapGet extends SummarizedCallable::Range {
  MapGet() { this = "Map#get" }

  override DataFlow::MethodCallNode getACallSimple() {
@@ -96,7 +96,7 @@ class MapGet extends SummarizedCallable {
  }
 }

-class MapSet extends SummarizedCallable {
+class MapSet extends SummarizedCallable::Range {
  MapSet() { this = "Map#set" }

  override DataFlow::MethodCallNode getACallSimple() {
@@ -121,7 +121,7 @@ class MapSet extends SummarizedCallable {
  }
 }

-class MapGroupBy extends SummarizedCallable {
+class MapGroupBy extends SummarizedCallable::Range {
  MapGroupBy() { this = "Map#groupBy" }

  override DataFlow::CallNode getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Promises.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Promises.qll
@@ -23,7 +23,7 @@ DataFlow::SourceNode promiseConstructorRef() {
 // Note that the 'Awaited' token has a special interpretation.
 // See a write-up here: https://github.com/github/codeql-javascript-team/issues/423
 //
-private class PromiseConstructor extends SummarizedCallable {
+private class PromiseConstructor extends SummarizedCallable::Range {
  PromiseConstructor() { this = "new Promise()" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -53,7 +53,7 @@ private class PromiseConstructor extends SummarizedCallable {
 * for callbacks.
 */
 module PromiseConstructorWorkaround {
-  class ResolveSummary extends SummarizedCallable {
+  class ResolveSummary extends SummarizedCallable::Range {
    ResolveSummary() { this = "new Promise() resolve callback" }

    override DataFlow::InvokeNode getACallSimple() {
@@ -68,7 +68,7 @@ module PromiseConstructorWorkaround {
    }
  }

-  class RejectCallback extends SummarizedCallable {
+  class RejectCallback extends SummarizedCallable::Range {
    RejectCallback() { this = "new Promise() reject callback" }

    override DataFlow::InvokeNode getACallSimple() {
@@ -83,7 +83,7 @@ module PromiseConstructorWorkaround {
    }
  }

-  class ConstructorSummary extends SummarizedCallable {
+  class ConstructorSummary extends SummarizedCallable::Range {
    ConstructorSummary() { this = "new Promise() workaround" }

    override DataFlow::InvokeNode getACallSimple() {
@@ -106,7 +106,7 @@ module PromiseConstructorWorkaround {
  }
 }

-private class PromiseThen2Arguments extends SummarizedCallable {
+private class PromiseThen2Arguments extends SummarizedCallable::Range {
  PromiseThen2Arguments() { this = "Promise#then() with 2 arguments" }

  override InstanceCall getACallSimple() {
@@ -128,7 +128,7 @@ private class PromiseThen2Arguments extends SummarizedCallable {
  }
 }

-private class PromiseThen1Argument extends SummarizedCallable {
+private class PromiseThen1Argument extends SummarizedCallable::Range {
  PromiseThen1Argument() { this = "Promise#then() with 1 argument" }

  override InstanceCall getACallSimple() {
@@ -150,7 +150,7 @@ private class PromiseThen1Argument extends SummarizedCallable {
  }
 }

-private class PromiseCatch extends SummarizedCallable {
+private class PromiseCatch extends SummarizedCallable::Range {
  PromiseCatch() { this = "Promise#catch()" }

  override InstanceCall getACallSimple() { result.getMethodName() = "catch" }
@@ -169,7 +169,7 @@ private class PromiseCatch extends SummarizedCallable {
  }
 }

-private class PromiseFinally extends SummarizedCallable {
+private class PromiseFinally extends SummarizedCallable::Range {
  PromiseFinally() { this = "Promise#finally()" }

  override InstanceCall getACallSimple() { result.getMethodName() = "finally" }
@@ -186,7 +186,7 @@ private class PromiseFinally extends SummarizedCallable {
  }
 }

-private class PromiseResolve extends SummarizedCallable {
+private class PromiseResolve extends SummarizedCallable::Range {
  PromiseResolve() { this = "Promise.resolve()" }

  override InstanceCall getACallSimple() {
@@ -200,7 +200,7 @@ private class PromiseResolve extends SummarizedCallable {
  }
 }

-private class PromiseReject extends SummarizedCallable {
+private class PromiseReject extends SummarizedCallable::Range {
  PromiseReject() { this = "Promise.reject()" }

  override InstanceCall getACallSimple() {
@@ -261,7 +261,7 @@ private class PromiseAllStep extends SharedTypeTrackingStep {
  }
 }

-private class PromiseAll extends SummarizedCallable {
+private class PromiseAll extends SummarizedCallable::Range {
  PromiseAll() { this = "Promise.all()" }

  override DataFlow::InvokeNode getACallSimple() { result instanceof PromiseAllCall }
@@ -283,7 +283,7 @@ private class PromiseAll extends SummarizedCallable {
  }
 }

-private class PromiseAnyLike extends SummarizedCallable {
+private class PromiseAnyLike extends SummarizedCallable::Range {
  PromiseAnyLike() { this = "Promise.any() or Promise.race()" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -297,7 +297,7 @@ private class PromiseAnyLike extends SummarizedCallable {
  }
 }

-private class PromiseAllSettled extends SummarizedCallable {
+private class PromiseAllSettled extends SummarizedCallable::Range {
  PromiseAllSettled() { this = "Promise.allSettled()" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -318,7 +318,7 @@ private class PromiseAllSettled extends SummarizedCallable {
  }
 }

-private class BluebirdMapSeries extends SummarizedCallable {
+private class BluebirdMapSeries extends SummarizedCallable::Range {
  BluebirdMapSeries() { this = "bluebird.mapSeries" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -351,7 +351,7 @@ private class BluebirdMapSeries extends SummarizedCallable {
 * - `goog.Closure.withResolver()` (non-plural spelling)
 * - `bluebird.Promise.defer()`
 */
-private class PromiseWithResolversLike extends SummarizedCallable {
+private class PromiseWithResolversLike extends SummarizedCallable::Range {
  PromiseWithResolversLike() { this = "Promise.withResolvers()" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -371,7 +371,7 @@ private class PromiseWithResolversLike extends SummarizedCallable {
  }
 }

-class PromiseTry extends DataFlow::SummarizedCallable {
+class PromiseTry extends DataFlow::SummarizedCallable::Range {
  PromiseTry() { this = "Promise.try()" }

  override DataFlow::CallNode getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Sets.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Sets.qll
@@ -10,7 +10,7 @@ private import FlowSummaryUtil

 private DataFlow::SourceNode setConstructorRef() { result = DataFlow::globalVarRef("Set") }

-class SetConstructor extends SummarizedCallable {
+class SetConstructor extends SummarizedCallable::Range {
  SetConstructor() { this = "Set constructor" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -32,7 +32,7 @@ class SetConstructor extends SummarizedCallable {
  }
 }

-class SetAdd extends SummarizedCallable {
+class SetAdd extends SummarizedCallable::Range {
  SetAdd() { this = "Set#add" }

  override DataFlow::MethodCallNode getACallSimple() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
@@ -10,7 +10,7 @@ private import semmle.javascript.dataflow.FlowSummary
 /**
 * Summary for calls to `.replace` or `.replaceAll` (without a regexp pattern containing a wildcard).
 */
-private class StringReplaceNoWildcard extends SummarizedCallable {
+private class StringReplaceNoWildcard extends SummarizedCallable::Range {
  StringReplaceNoWildcard() {
    this = "String#replace / String#replaceAll (without wildcard pattern)"
  }
@@ -34,7 +34,7 @@ private class StringReplaceNoWildcard extends SummarizedCallable {
 *
 * In this case, the receiver is considered to flow into the callback.
 */
-private class StringReplaceWithWildcard extends SummarizedCallable {
+private class StringReplaceWithWildcard extends SummarizedCallable::Range {
  StringReplaceWithWildcard() {
    this = "String#replace / String#replaceAll (with wildcard pattern)"
  }
@@ -53,7 +53,7 @@ private class StringReplaceWithWildcard extends SummarizedCallable {
  }
 }

-class StringSplit extends SummarizedCallable {
+class StringSplit extends SummarizedCallable::Range {
  StringSplit() { this = "String#split" }

  override DataFlow::MethodCallNode getACallSimple() {
@@ -78,7 +78,7 @@ class StringSplit extends SummarizedCallable {
 * This summary defaults to the same behavior as the general `.split()` case, but it contains optional steps
 * and barriers named `tainted-url-suffix` that should be activated when tracking a tainted URL suffix.
 */
-class StringSplitHashOrQuestionMark extends SummarizedCallable {
+class StringSplitHashOrQuestionMark extends SummarizedCallable::Range {
  StringSplitHashOrQuestionMark() { this = "String#split with '#' or '?'" }

  override DataFlow::MethodCallNode getACallSimple() {
@@ -102,7 +102,7 @@ class StringSplitHashOrQuestionMark extends SummarizedCallable {
  }
 }

-class StringFromCharCode extends SummarizedCallable {
+class StringFromCharCode extends SummarizedCallable::Range {
  StringFromCharCode() { this = "String#fromCharCode" }

  override DataFlow::CallNode getACall() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
@@ -16,7 +16,7 @@ private class TypedArrayEntryPoint extends API::EntryPoint {
 pragma[nomagic]
 API::Node typedArrayConstructorRef() { result = any(TypedArrayEntryPoint e).getANode() }

-class TypedArrayConstructorSummary extends SummarizedCallable {
+class TypedArrayConstructorSummary extends SummarizedCallable::Range {
  TypedArrayConstructorSummary() { this = "TypedArray constructor" }

  override DataFlow::InvokeNode getACall() {
@@ -40,7 +40,7 @@ class BufferTypedArray extends DataFlow::AdditionalFlowStep {
  }
 }

-class TypedArraySet extends SummarizedCallable {
+class TypedArraySet extends SummarizedCallable::Range {
  TypedArraySet() { this = "TypedArray#set" }

  override InstanceCall getACall() {
@@ -54,7 +54,7 @@ class TypedArraySet extends SummarizedCallable {
  }
 }

-class TypedArraySubarray extends SummarizedCallable {
+class TypedArraySubarray extends SummarizedCallable::Range {
  TypedArraySubarray() { this = "TypedArray#subarray" }

  override InstanceCall getACall() { result.getMethodName() = "subarray" }
@@ -77,7 +77,7 @@ private class ArrayBufferEntryPoint extends API::EntryPoint {
 pragma[nomagic]
 API::Node arrayBufferConstructorRef() { result = any(ArrayBufferEntryPoint a).getANode() }

-class TransferLike extends SummarizedCallable {
+class TransferLike extends SummarizedCallable::Range {
  TransferLike() { this = "ArrayBuffer#transfer" }

  override InstanceCall getACall() {
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/UrlSearchParams.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/UrlSearchParams.qll
@@ -14,7 +14,7 @@ DataFlow::SourceNode urlSearchParamsConstructorRef() {
  result = DataFlow::globalVarRef("URLSearchParams")
 }

-class URLSearchParams extends DataFlow::SummarizedCallable {
+class URLSearchParams extends DataFlow::SummarizedCallable::Range {
  URLSearchParams() { this = "URLSearchParams" }

  override DataFlow::InvokeNode getACallSimple() {
@@ -30,7 +30,7 @@ class URLSearchParams extends DataFlow::SummarizedCallable {
  }
 }

-class GetAll extends DataFlow::SummarizedCallable {
+class GetAll extends DataFlow::SummarizedCallable::Range {
  GetAll() { this = "getAll" }

  override DataFlow::MethodCallNode getACallSimple() {
@@ -44,7 +44,7 @@ class GetAll extends DataFlow::SummarizedCallable {
  }
 }

-class URLConstructor extends DataFlow::SummarizedCallable {
+class URLConstructor extends DataFlow::SummarizedCallable::Range {
  URLConstructor() { this = "URL" }

  override DataFlow::InvokeNode getACallSimple() {
--- a/javascript/ql/lib/utils/test/InlineSummaries.qll
+++ b/javascript/ql/lib/utils/test/InlineSummaries.qll
@@ -2,7 +2,7 @@ import javascript
 import semmle.javascript.dataflow.FlowSummary

 overlay[local?]
-class MkSummary extends SummarizedCallable {
+class MkSummary extends SummarizedCallable::Range {
  private CallExpr mkSummary;

  MkSummary() {
--- a/python/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/python/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/python/ql/lib/semmle/python/dataflow/new/FlowSummary.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/FlowSummary.qll
@@ -22,30 +22,39 @@ deprecated class SummaryComponentStack = Impl::Private::SummaryComponentStack;

 deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack;

-/** A callable with a flow summary, identified by a unique string. */
-abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable {
-  bindingset[this]
-  SummarizedCallable() { any() }
+class Provenance = Impl::Public::Provenance;

-  /**
-   * DEPRECATED: Use `propagatesFlow` instead.
-   */
-  deprecated predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
-    this.propagatesFlow(input, output, preservesValue, _)
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  /** A callable with a flow summary, identified by a unique string. */
+  abstract class Range extends LibraryCallable, Impl::Public::SummarizedCallable {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate propagatesFlow(
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
+    ) {
+      this.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
+      model = this
+    }
+
+    /**
+     * Holds if data may flow from `input` to `output` through this callable.
+     *
+     * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+     */
+    predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
  }
-
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
-  ) {
-    this.propagatesFlow(input, output, preservesValue) and model = this
-  }
-
-  /**
-   * Holds if data may flow from `input` to `output` through this callable.
-   *
-   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
-   */
-  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
 }

+final private class SummarizedCallableFinal = SummarizedCallable::Range;
+
+/** A callable with a flow summary, identified by a unique string. */
+final class SummarizedCallable extends SummarizedCallableFinal,
+  Impl::Public::RelevantSummarizedCallable
+{ }
+
 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
--- a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll
@@ -18,6 +18,8 @@ module Input implements InputSig<Location, DataFlowImplSpecific::PythonDataFlow>

  class SinkBase = Void;

+  predicate callableFromSource(SummarizedCallableBase c) { none() }
+
  ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() }

  ReturnKind getStandardReturnValueKind() { any() }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
@@ -30,7 +30,7 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
    predicate propagatesFlow(
      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
    ) {
-      super.propagatesFlow(input, output, preservesValue, _)
+      super.propagatesFlow(input, output, preservesValue, _, _, _)
    }
  }

--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -674,7 +674,7 @@ module Flask {
   *
   * see https://flask.palletsprojects.com/en/2.3.x/api/#flask.render_template_string
   */
-  private class RenderTemplateStringSummary extends SummarizedCallable {
+  private class RenderTemplateStringSummary extends SummarizedCallable::Range {
    RenderTemplateStringSummary() { this = "flask.render_template_string" }

    override DataFlow::CallCfgNode getACall() {
@@ -700,7 +700,7 @@ module Flask {
   *
   * see https://flask.palletsprojects.com/en/2.3.x/api/#flask.stream_template_string
   */
-  private class StreamTemplateStringSummary extends SummarizedCallable {
+  private class StreamTemplateStringSummary extends SummarizedCallable::Range {
    StreamTemplateStringSummary() { this = "flask.stream_template_string" }

    override DataFlow::CallCfgNode getACall() {
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -3187,7 +3187,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.11/library/re.html#re-objects
   */
-  class RePatternSummary extends SummarizedCallable {
+  class RePatternSummary extends SummarizedCallable::Range {
    RePatternSummary() { this = "re.Pattern" }

    override DataFlow::CallCfgNode getACall() {
@@ -3227,7 +3227,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3/library/re.html#re.Match
   */
-  class ReMatchSummary extends SummarizedCallable {
+  class ReMatchSummary extends SummarizedCallable::Range {
    ReMatchSummary() { this = ["re.Match", "compiled re.Match"] }

    override DataFlow::CallCfgNode getACall() {
@@ -3291,7 +3291,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3/library/re.html#re.Match
   */
-  class ReMatchMethodsSummary extends SummarizedCallable {
+  class ReMatchMethodsSummary extends SummarizedCallable::Range {
    string methodName;

    ReMatchMethodsSummary() {
@@ -3335,7 +3335,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3/library/re.html#functions
   */
-  class ReFunctionsSummary extends SummarizedCallable {
+  class ReFunctionsSummary extends SummarizedCallable::Range {
    string methodName;

    ReFunctionsSummary() {
@@ -4183,7 +4183,7 @@ module StdlibPrivate {
   *
   * see https://docs.python.org/3/library/stdtypes.html#dict
   */
-  class DictSummary extends SummarizedCallable {
+  class DictSummary extends SummarizedCallable::Range {
    DictSummary() { this = "builtins.dict" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("dict").getACall() }
@@ -4222,7 +4222,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `list`. */
-  class ListSummary extends SummarizedCallable {
+  class ListSummary extends SummarizedCallable::Range {
    ListSummary() { this = "builtins.list" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("list").getACall() }
@@ -4252,7 +4252,7 @@ module StdlibPrivate {
  }

  /** A flow summary for tuple */
-  class TupleSummary extends SummarizedCallable {
+  class TupleSummary extends SummarizedCallable::Range {
    TupleSummary() { this = "builtins.tuple" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("tuple").getACall() }
@@ -4277,7 +4277,7 @@ module StdlibPrivate {
  }

  /** A flow summary for set */
-  class SetSummary extends SummarizedCallable {
+  class SetSummary extends SummarizedCallable::Range {
    SetSummary() { this = "builtins.set" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("set").getACall() }
@@ -4307,7 +4307,7 @@ module StdlibPrivate {
  }

  /** A flow summary for frozenset */
-  class FrozensetSummary extends SummarizedCallable {
+  class FrozensetSummary extends SummarizedCallable::Range {
    FrozensetSummary() { this = "builtins.frozenset" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("frozenset").getACall() }
@@ -4325,7 +4325,7 @@ module StdlibPrivate {
  // Flow summaries for functions operating on containers
  // ---------------------------------------------------------------------------
  /** A flow summary for `reversed`. */
-  class ReversedSummary extends SummarizedCallable {
+  class ReversedSummary extends SummarizedCallable::Range {
    ReversedSummary() { this = "builtins.reversed" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("reversed").getACall() }
@@ -4355,7 +4355,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `sorted`. */
-  class SortedSummary extends SummarizedCallable {
+  class SortedSummary extends SummarizedCallable::Range {
    SortedSummary() { this = "builtins.sorted" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("sorted").getACall() }
@@ -4387,7 +4387,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `iter`. */
-  class IterSummary extends SummarizedCallable {
+  class IterSummary extends SummarizedCallable::Range {
    IterSummary() { this = "builtins.iter" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("iter").getACall() }
@@ -4417,7 +4417,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `next`. */
-  class NextSummary extends SummarizedCallable {
+  class NextSummary extends SummarizedCallable::Range {
    NextSummary() { this = "builtins.next" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("next").getACall() }
@@ -4447,7 +4447,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `map`. */
-  class MapSummary extends SummarizedCallable {
+  class MapSummary extends SummarizedCallable::Range {
    MapSummary() { this = "builtins.map" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("map").getACall() }
@@ -4482,7 +4482,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `filter`. */
-  class FilterSummary extends SummarizedCallable {
+  class FilterSummary extends SummarizedCallable::Range {
    FilterSummary() { this = "builtins.filter" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("filter").getACall() }
@@ -4508,7 +4508,7 @@ module StdlibPrivate {
  }

  /**A summary for `enumerate`. */
-  class EnumerateSummary extends SummarizedCallable {
+  class EnumerateSummary extends SummarizedCallable::Range {
    EnumerateSummary() { this = "builtins.enumerate" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("enumerate").getACall() }
@@ -4534,7 +4534,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `zip`. */
-  class ZipSummary extends SummarizedCallable {
+  class ZipSummary extends SummarizedCallable::Range {
    ZipSummary() { this = "builtins.zip" }

    override DataFlow::CallCfgNode getACall() { result = API::builtin("zip").getACall() }
@@ -4568,7 +4568,7 @@ module StdlibPrivate {
  // Flow summaries for container methods
  // ---------------------------------------------------------------------------
  /** A flow summary for `copy`. */
-  class CopySummary extends SummarizedCallable {
+  class CopySummary extends SummarizedCallable::Range {
    CopySummary() { this = "collection.copy" }

    override DataFlow::CallCfgNode getACall() {
@@ -4591,7 +4591,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `copy.replace`. */
-  class ReplaceSummary extends SummarizedCallable {
+  class ReplaceSummary extends SummarizedCallable::Range {
    ReplaceSummary() { this = "copy.replace" }

    override DataFlow::CallCfgNode getACall() {
@@ -4624,7 +4624,7 @@ module StdlibPrivate {
   * I also handles the default value when `pop` is called
   * on a dictionary, since that also does not depend on the key.
   */
-  class PopSummary extends SummarizedCallable {
+  class PopSummary extends SummarizedCallable::Range {
    PopSummary() { this = "collection.pop" }

    override DataFlow::CallCfgNode getACall() {
@@ -4655,7 +4655,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `dict.pop` */
-  class DictPopSummary extends SummarizedCallable {
+  class DictPopSummary extends SummarizedCallable::Range {
    string key;

    DictPopSummary() {
@@ -4678,7 +4678,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `dict.get` at specific content. */
-  class DictGetSummary extends SummarizedCallable {
+  class DictGetSummary extends SummarizedCallable::Range {
    string key;

    DictGetSummary() {
@@ -4706,7 +4706,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `dict.get` disregarding content. */
-  class DictGetAnySummary extends SummarizedCallable {
+  class DictGetAnySummary extends SummarizedCallable::Range {
    DictGetAnySummary() { this = "dict.get" }

    override DataFlow::CallCfgNode getACall() {
@@ -4729,7 +4729,7 @@ module StdlibPrivate {
  }

  /** A flow summary for `dict.popitem` */
-  class DictPopitemSummary extends SummarizedCallable {
+  class DictPopitemSummary extends SummarizedCallable::Range {
    DictPopitemSummary() { this = "dict.popitem" }

    override DataFlow::CallCfgNode getACall() {
@@ -4753,7 +4753,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#dict.setdefault
   */
-  class DictSetdefaultSummary extends SummarizedCallable {
+  class DictSetdefaultSummary extends SummarizedCallable::Range {
    DictSetdefaultSummary() { this = "dict.setdefault" }

    override DataFlow::CallCfgNode getACall() {
@@ -4778,7 +4778,7 @@ module StdlibPrivate {
   * This summary handles read and store steps. See `DictSetdefaultSummary`
   * for the dataflow steps.
   */
-  class DictSetdefaultKeySummary extends SummarizedCallable {
+  class DictSetdefaultKeySummary extends SummarizedCallable::Range {
    string key;

    DictSetdefaultKeySummary() {
@@ -4811,7 +4811,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#dict.values
   */
-  class DictValues extends SummarizedCallable {
+  class DictValues extends SummarizedCallable::Range {
    DictValues() { this = "dict.values" }

    override DataFlow::CallCfgNode getACall() {
@@ -4840,7 +4840,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#dict.keys
   */
-  class DictKeys extends SummarizedCallable {
+  class DictKeys extends SummarizedCallable::Range {
    DictKeys() { this = "dict.keys" }

    override DataFlow::CallCfgNode getACall() { result.(DataFlow::MethodCallNode).calls(_, "keys") }
@@ -4862,7 +4862,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#dict.items
   */
-  class DictItems extends SummarizedCallable {
+  class DictItems extends SummarizedCallable::Range {
    DictItems() { this = "dict.items" }

    override DataFlow::CallCfgNode getACall() {
@@ -4892,7 +4892,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#typesseq-mutable
   */
-  class ListAppend extends SummarizedCallable {
+  class ListAppend extends SummarizedCallable::Range {
    ListAppend() { this = "list.append" }

    override DataFlow::CallCfgNode getACall() {
@@ -4921,7 +4921,7 @@ module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/stdtypes.html#frozenset.add
   */
-  class SetAdd extends SummarizedCallable {
+  class SetAdd extends SummarizedCallable::Range {
    SetAdd() { this = "set.add" }

    override DataFlow::CallCfgNode getACall() { result.(DataFlow::MethodCallNode).calls(_, "add") }
@@ -4948,7 +4948,7 @@ module StdlibPrivate {
   *
   * See https://devdocs.io/python~3.11/library/os#os.getenv
   */
-  class OsGetEnv extends SummarizedCallable {
+  class OsGetEnv extends SummarizedCallable::Range {
    OsGetEnv() { this = "os.getenv" }

    override DataFlow::CallCfgNode getACall() {
--- a/python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll
+++ b/python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll
@@ -33,12 +33,16 @@ private class ThreatModelSourceFromDataExtension extends ThreatModelSource::Rang
  }
 }

-private class SummarizedCallableFromModel extends SummarizedCallable {
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
  string type;
  string path;
+  string input_;
+  string output_;
+  string kind;
+  string model_;

  SummarizedCallableFromModel() {
-    ModelOutput::relevantSummaryModel(type, path, _, _, _, _) and
+    ModelOutput::relevantSummaryModel(type, path, input_, output_, kind, model_) and
    this = type + ";" + path
  }

@@ -52,14 +56,13 @@ private class SummarizedCallableFromModel extends SummarizedCallable {
  }

  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
  ) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = "manual" and
+    isExact = true and
+    model = model_
  }
 }
--- a/python/ql/test/library-tests/dataflow/summaries/TestSummaries.qll
+++ b/python/ql/test/library-tests/dataflow/summaries/TestSummaries.qll
@@ -10,7 +10,7 @@ private import semmle.python.ApiGraphs
 module RecursionGuard {
  private import semmle.python.dataflow.new.internal.TypeTrackingImpl::TypeTrackingInput as TT

-  private class RecursionGuard extends SummarizedCallable {
+  private class RecursionGuard extends SummarizedCallable::Range {
    RecursionGuard() { this = "RecursionGuard" }

    override DataFlow::CallCfgNode getACall() {
@@ -26,7 +26,7 @@ module RecursionGuard {
  }
 }

-private class SummarizedCallableIdentity extends SummarizedCallable {
+private class SummarizedCallableIdentity extends SummarizedCallable::Range {
  SummarizedCallableIdentity() { this = "identity" }

  override DataFlow::CallCfgNode getACall() {
@@ -43,7 +43,7 @@ private class SummarizedCallableIdentity extends SummarizedCallable {
 }

 // For lambda flow to work, implement lambdaCall and lambdaCreation
-private class SummarizedCallableApplyLambda extends SummarizedCallable {
+private class SummarizedCallableApplyLambda extends SummarizedCallable::Range {
  SummarizedCallableApplyLambda() { this = "apply_lambda" }

  override DataFlow::CallCfgNode getACall() {
@@ -63,7 +63,7 @@ private class SummarizedCallableApplyLambda extends SummarizedCallable {
  }
 }

-private class SummarizedCallableReversed extends SummarizedCallable {
+private class SummarizedCallableReversed extends SummarizedCallable::Range {
  SummarizedCallableReversed() { this = "list_reversed" }

  override DataFlow::CallCfgNode getACall() {
@@ -79,7 +79,7 @@ private class SummarizedCallableReversed extends SummarizedCallable {
  }
 }

-private class SummarizedCallableMap extends SummarizedCallable {
+private class SummarizedCallableMap extends SummarizedCallable::Range {
  SummarizedCallableMap() { this = "list_map" }

  override DataFlow::CallCfgNode getACall() {
@@ -99,7 +99,7 @@ private class SummarizedCallableMap extends SummarizedCallable {
  }
 }

-private class SummarizedCallableAppend extends SummarizedCallable {
+private class SummarizedCallableAppend extends SummarizedCallable::Range {
  SummarizedCallableAppend() { this = "append_to_list" }

  override DataFlow::CallCfgNode getACall() {
@@ -119,7 +119,7 @@ private class SummarizedCallableAppend extends SummarizedCallable {
  }
 }

-private class SummarizedCallableJsonLoads extends SummarizedCallable {
+private class SummarizedCallableJsonLoads extends SummarizedCallable::Range {
  SummarizedCallableJsonLoads() { this = "json.loads" }

  override DataFlow::CallCfgNode getACall() {
@@ -138,7 +138,7 @@ private class SummarizedCallableJsonLoads extends SummarizedCallable {
 }

 // Repeated summaries
-private class SummarizedCallableWithSubpath extends SummarizedCallable {
+private class SummarizedCallableWithSubpath extends SummarizedCallable::Range {
  SummarizedCallableWithSubpath() { this = "extracted_package.functions.with_subpath" }

  override DataFlow::CallCfgNode getACall() {
@@ -164,7 +164,7 @@ private class SummarizedCallableWithSubpath extends SummarizedCallable {
  }
 }

-private class SummarizedCallableWithSubpathAgain extends SummarizedCallable {
+private class SummarizedCallableWithSubpathAgain extends SummarizedCallable::Range {
  SummarizedCallableWithSubpathAgain() { this = "extracted_package.functions.with_subpathII" }

  override DataFlow::CallCfgNode getACall() {
@@ -190,7 +190,7 @@ private class SummarizedCallableWithSubpathAgain extends SummarizedCallable {
  }
 }

-private class SummarizedCallableWithoutSubpath extends SummarizedCallable {
+private class SummarizedCallableWithoutSubpath extends SummarizedCallable::Range {
  SummarizedCallableWithoutSubpath() { this = "extracted_package.functions.without_subpath" }

  override DataFlow::CallCfgNode getACall() {
@@ -216,7 +216,7 @@ private class SummarizedCallableWithoutSubpath extends SummarizedCallable {
  }
 }

-private class SummarizedCallableWithoutSubpathAgain extends SummarizedCallable {
+private class SummarizedCallableWithoutSubpathAgain extends SummarizedCallable::Range {
  SummarizedCallableWithoutSubpathAgain() { this = "extracted_package.functions.without_subpathII" }

  override DataFlow::CallCfgNode getACall() {
--- a/python/ql/test/library-tests/dataflow/typetracking-summaries/TestSummaries.qll
+++ b/python/ql/test/library-tests/dataflow/typetracking-summaries/TestSummaries.qll
@@ -10,7 +10,7 @@ private import semmle.python.ApiGraphs
 module RecursionGuard {
  private import semmle.python.dataflow.new.internal.TypeTrackingImpl::TypeTrackingInput as TT

-  private class RecursionGuard extends SummarizedCallable {
+  private class RecursionGuard extends SummarizedCallable::Range {
    RecursionGuard() { this = "TypeTrackingSummariesRecursionGuard" }

    override DataFlow::CallCfgNode getACall() {
@@ -32,7 +32,7 @@ module RecursionGuard {
  }
 }

-private class SummarizedCallableIdentity extends SummarizedCallable {
+private class SummarizedCallableIdentity extends SummarizedCallable::Range {
  SummarizedCallableIdentity() { this = "TTS_identity" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -51,7 +51,7 @@ private class SummarizedCallableIdentity extends SummarizedCallable {
 }

 // For lambda flow to work, implement lambdaCall and lambdaCreation
-private class SummarizedCallableApplyLambda extends SummarizedCallable {
+private class SummarizedCallableApplyLambda extends SummarizedCallable::Range {
  SummarizedCallableApplyLambda() { this = "TTS_apply_lambda" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -73,7 +73,7 @@ private class SummarizedCallableApplyLambda extends SummarizedCallable {
  }
 }

-private class SummarizedCallableReversed extends SummarizedCallable {
+private class SummarizedCallableReversed extends SummarizedCallable::Range {
  SummarizedCallableReversed() { this = "TTS_reversed" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -91,7 +91,7 @@ private class SummarizedCallableReversed extends SummarizedCallable {
  }
 }

-private class SummarizedCallableMap extends SummarizedCallable {
+private class SummarizedCallableMap extends SummarizedCallable::Range {
  SummarizedCallableMap() { this = "TTS_list_map" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -113,7 +113,7 @@ private class SummarizedCallableMap extends SummarizedCallable {
  }
 }

-private class SummarizedCallableAppend extends SummarizedCallable {
+private class SummarizedCallableAppend extends SummarizedCallable::Range {
  SummarizedCallableAppend() { this = "TTS_append_to_list" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -135,7 +135,7 @@ private class SummarizedCallableAppend extends SummarizedCallable {
  }
 }

-private class SummarizedCallableJsonLoads extends SummarizedCallable {
+private class SummarizedCallableJsonLoads extends SummarizedCallable::Range {
  SummarizedCallableJsonLoads() { this = "TTS_json.loads" }

  override DataFlow::CallCfgNode getACall() {
@@ -156,7 +156,7 @@ private class SummarizedCallableJsonLoads extends SummarizedCallable {
 }

 // read and store
-private class SummarizedCallableReadSecret extends SummarizedCallable {
+private class SummarizedCallableReadSecret extends SummarizedCallable::Range {
  SummarizedCallableReadSecret() { this = "TTS_read_secret" }

  override DataFlow::CallCfgNode getACall() { none() }
@@ -174,7 +174,7 @@ private class SummarizedCallableReadSecret extends SummarizedCallable {
  }
 }

-private class SummarizedCallableSetSecret extends SummarizedCallable {
+private class SummarizedCallableSetSecret extends SummarizedCallable::Range {
  SummarizedCallableSetSecret() { this = "TTS_set_secret" }

  override DataFlow::CallCfgNode getACall() { none() }
--- a/ruby/ql/docs/flow_summaries.md
+++ b/ruby/ql/docs/flow_summaries.md
@@ -19,7 +19,7 @@ to be tainted in the call to `system`.
 have no source code, so we include a flow summary for it:

 ```ql
-private class ChompSummary extends SimpleSummarizedCallable {
+private class ChompSummary extends SummarizedCallable::RangeSimple {
  ChompSummary() { this = "chomp" }

  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
--- a/ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md
+++ b/ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed.
--- a/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll
@@ -15,65 +15,64 @@ private module Summaries {
  private import codeql.ruby.frameworks.data.ModelsAsData
 }

-deprecated class SummaryComponent = Impl::Private::SummaryComponent;
+class Provenance = Impl::Public::Provenance;

-deprecated module SummaryComponent = Impl::Private::SummaryComponent;
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  /** A callable with a flow summary, identified by a unique string. */
+  abstract class Range extends LibraryCallable, Impl::Public::SummarizedCallable {
+    bindingset[this]
+    Range() { any() }

-deprecated class SummaryComponentStack = Impl::Private::SummaryComponentStack;
+    override predicate propagatesFlow(
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
+    ) {
+      this.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
+      model = ""
+    }

-deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack;
+    /**
+     * Holds if data may flow from `input` to `output` through this callable.
+     *
+     * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+     */
+    predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
+
+    /**
+     * Gets the synthesized parameter that results from an input specification
+     * that starts with `Argument[s]` for this library callable.
+     */
+    DataFlow::ParameterNode getParameter(string s) {
+      exists(ParameterPosition pos |
+        DataFlowImplCommon::parameterNode(result, TLibraryCallable(this), pos) and
+        s = Impl::Input::encodeParameterPosition(pos)
+      )
+    }
+  }
+
+  /**
+   * A callable with a flow summary, identified by a unique string, where all
+   * calls to a method with the same name are considered relevant.
+   */
+  abstract class RangeSimple extends Range {
+    MethodCall mc;
+
+    bindingset[this]
+    RangeSimple() { mc.getMethodName() = this }
+
+    final override MethodCall getACallSimple() { result = mc }
+  }
+}
+
+final private class SummarizedCallableFinal = SummarizedCallable::Range;

 /** A callable with a flow summary, identified by a unique string. */
-abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable {
-  bindingset[this]
-  SummarizedCallable() { any() }
-
-  /**
-   * DEPRECATED: Use `propagatesFlow` instead.
-   */
-  deprecated predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
-    this.propagatesFlow(input, output, preservesValue, _)
-  }
-
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
-  ) {
-    this.propagatesFlow(input, output, preservesValue) and model = ""
-  }
-
-  /**
-   * Holds if data may flow from `input` to `output` through this callable.
-   *
-   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
-   */
-  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
-
-  /**
-   * Gets the synthesized parameter that results from an input specification
-   * that starts with `Argument[s]` for this library callable.
-   */
-  DataFlow::ParameterNode getParameter(string s) {
-    exists(ParameterPosition pos |
-      DataFlowImplCommon::parameterNode(result, TLibraryCallable(this), pos) and
-      s = Impl::Input::encodeParameterPosition(pos)
-    )
-  }
-}
-
-/**
- * A callable with a flow summary, identified by a unique string, where all
- * calls to a method with the same name are considered relevant.
- */
-abstract class SimpleSummarizedCallable extends SummarizedCallable {
-  MethodCall mc;
-
-  bindingset[this]
-  SimpleSummarizedCallable() { mc.getMethodName() = this }
-
-  final override MethodCall getACallSimple() { result = mc }
-}
-
-deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
+final class SummarizedCallable extends SummarizedCallableFinal,
+  Impl::Public::RelevantSummarizedCallable
+{ }

 /**
 * Provides a set of special flow summaries to ensure that callbacks passed into
@@ -103,7 +102,7 @@ private module LibraryCallbackSummaries {
    )
  }

-  private class LibraryLambdaMethod extends SummarizedCallable {
+  private class LibraryLambdaMethod extends SummarizedCallable::Range {
    LibraryLambdaMethod() { this = "<library method accepting a callback>" }

    final override MethodCall getACall() {
@@ -114,7 +113,8 @@ private module LibraryCallbackSummaries {
    }

    override predicate propagatesFlow(
-      string input, string output, boolean preservesValue, string model
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
    ) {
      (
        input = "Argument[block]" and
@@ -127,6 +127,8 @@ private module LibraryCallbackSummaries {
        )
      ) and
      preservesValue = true and
+      p = "hq-generated" and
+      isExact = true and
      model = "heuristic-callback"
    }
  }
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -240,7 +240,9 @@ class NormalCall extends DataFlowCall, TNormalCall {
 module ViewComponentRenderModeling {
  private import codeql.ruby.frameworks.ViewComponent

-  private class RenderMethod extends SummarizedCallable, LibraryCallableToIncludeInTypeTracking {
+  private class RenderMethod extends SummarizedCallable::Range,
+    LibraryCallableToIncludeInTypeTracking
+  {
    RenderMethod() { this = "render view component" }

    override MethodCall getACallSimple() { result.getMethodName() = "render" }
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll
@@ -18,6 +18,8 @@ module Input implements InputSig<Location, DataFlowImplSpecific::RubyDataFlow> {

  class SinkBase = Void;

+  predicate callableFromSource(SummarizedCallableBase c) { none() }
+
  ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() }

  ReturnKind getStandardReturnValueKind() { result instanceof NormalReturnKind }
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -545,7 +545,7 @@ private module ParamsSummaries {
   * A flow summary for methods on `ActionController::Parameters` which
   * propagate taint from receiver to return value.
   */
-  private class MethodsReturningParamsInstanceSummary extends SummarizedCallable {
+  private class MethodsReturningParamsInstanceSummary extends SummarizedCallable::Range {
    MethodsReturningParamsInstanceSummary() { this = "ActionController::Parameters#<various>" }

    override MethodCall getACall() {
@@ -566,7 +566,7 @@ private module ParamsSummaries {
   * `#with_defaults`
   * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
   */
-  private class MergeSummary extends SummarizedCallable {
+  private class MergeSummary extends SummarizedCallable::Range {
    MergeSummary() { this = "ActionController::Parameters#merge" }

    override MethodCall getACall() {
@@ -590,7 +590,7 @@ private module ParamsSummaries {
   * `#reverse_update`
   * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
   */
-  private class MergeBangSummary extends SummarizedCallable {
+  private class MergeBangSummary extends SummarizedCallable::Range {
    MergeBangSummary() { this = "ActionController::Parameters#merge!" }

    override MethodCall getACall() {
@@ -609,7 +609,7 @@ private module ParamsSummaries {
  /** Flow summaries for `ActiveDispatch::Http::UploadedFile`, which can be an field of `ActionController::Parameters`. */
  module UploadedFileSummaries {
    /** Flow summary for various string attributes of `UploadedFile`, including `original_filename`, `content_type`, and `headers`. */
-    private class UploadedFileStringAttributeSummary extends SummarizedCallable {
+    private class UploadedFileStringAttributeSummary extends SummarizedCallable::Range {
      UploadedFileStringAttributeSummary() {
        this = "ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers]"
      }
@@ -632,7 +632,7 @@ private module ParamsSummaries {
     * Flow summary for `ActiveDispatch::Http::UploadedFile#read`,
     * which propagates taint from the receiver to the return value or to the second (out string) argument
     */
-    private class UploadedFileReadSummary extends SummarizedCallable {
+    private class UploadedFileReadSummary extends SummarizedCallable::Range {
      UploadedFileReadSummary() { this = "ActionDispatch::Http::UploadedFile#read" }

      override MethodCall getACall() {
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
@@ -45,7 +45,7 @@ module ActiveSupport {
      /**
       * Flow summary for methods which transform the receiver in some way, possibly preserving taint.
       */
-      private class StringTransformSummary extends SummarizedCallable {
+      private class StringTransformSummary extends SummarizedCallable::Range {
        // We're modeling a lot of different methods, so we make up a name for this summary.
        StringTransformSummary() { this = "ActiveSupportStringTransform" }

@@ -72,7 +72,7 @@ module ActiveSupport {
     */
    module Object {
      /** Flow summary for methods which can return the receiver. */
-      private class IdentitySummary extends SimpleSummarizedCallable {
+      private class IdentitySummary extends SummarizedCallable::RangeSimple {
        IdentitySummary() { this = ["presence", "deep_dup"] }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -106,7 +106,7 @@ module ActiveSupport {
      }

      /** Flow summary for `Object#to_json`, which serializes the receiver as a JSON string. */
-      private class ToJsonSummary extends SimpleSummarizedCallable {
+      private class ToJsonSummary extends SummarizedCallable::RangeSimple {
        ToJsonSummary() { this = "to_json" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -124,7 +124,7 @@ module ActiveSupport {
      /**
       * Flow summary for `reverse_merge`, and its alias `with_defaults`.
       */
-      private class ReverseMergeSummary extends SimpleSummarizedCallable {
+      private class ReverseMergeSummary extends SummarizedCallable::RangeSimple {
        ReverseMergeSummary() { this = ["reverse_merge", "with_defaults"] }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -137,7 +137,7 @@ module ActiveSupport {
      /**
       * Flow summary for `reverse_merge!`, and its aliases `with_defaults!` and `reverse_update`.
       */
-      private class ReverseMergeBangSummary extends SimpleSummarizedCallable {
+      private class ReverseMergeBangSummary extends SummarizedCallable::RangeSimple {
        ReverseMergeBangSummary() { this = ["reverse_merge!", "with_defaults!", "reverse_update"] }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -147,7 +147,7 @@ module ActiveSupport {
        }
      }

-      private class TransformSummary extends SimpleSummarizedCallable {
+      private class TransformSummary extends SummarizedCallable::RangeSimple {
        TransformSummary() {
          this =
            [
@@ -188,7 +188,7 @@ module ActiveSupport {
       * mentioned in the arguments to an element in `self`, including elements
       * at unknown keys.
       */
-      private class ExtractSummary extends SummarizedCallable {
+      private class ExtractSummary extends SummarizedCallable::Range {
        MethodCall mc;

        ExtractSummary() {
@@ -232,7 +232,7 @@ module ActiveSupport {
        ArrayIndex() { this = any(DataFlow::Content::KnownElementContent c).getIndex().getInt() }
      }

-      private class CompactBlankSummary extends SimpleSummarizedCallable {
+      private class CompactBlankSummary extends SummarizedCallable::RangeSimple {
        CompactBlankSummary() { this = "compact_blank" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -242,7 +242,7 @@ module ActiveSupport {
        }
      }

-      private class ExcludingSummary extends SimpleSummarizedCallable {
+      private class ExcludingSummary extends SummarizedCallable::RangeSimple {
        ExcludingSummary() { this = ["excluding", "without"] }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -252,7 +252,7 @@ module ActiveSupport {
        }
      }

-      private class InOrderOfSummary extends SimpleSummarizedCallable {
+      private class InOrderOfSummary extends SummarizedCallable::RangeSimple {
        InOrderOfSummary() { this = "in_order_of" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -265,7 +265,7 @@ module ActiveSupport {
      /**
       * Like `Array#push` but doesn't update the receiver.
       */
-      private class IncludingSummary extends SimpleSummarizedCallable {
+      private class IncludingSummary extends SummarizedCallable::RangeSimple {
        IncludingSummary() { this = "including" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -287,7 +287,7 @@ module ActiveSupport {
        }
      }

-      private class IndexBySummary extends SimpleSummarizedCallable {
+      private class IndexBySummary extends SummarizedCallable::RangeSimple {
        IndexBySummary() { this = "index_by" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -297,7 +297,7 @@ module ActiveSupport {
        }
      }

-      private class IndexWithSummary extends SimpleSummarizedCallable {
+      private class IndexWithSummary extends SummarizedCallable::RangeSimple {
        IndexWithSummary() { this = "index_with" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -316,7 +316,7 @@ module ActiveSupport {
        result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
      }

-      private class PickSingleSummary extends SummarizedCallable {
+      private class PickSingleSummary extends SummarizedCallable::Range {
        private MethodCall mc;
        private string key;

@@ -336,7 +336,7 @@ module ActiveSupport {
        }
      }

-      private class PickMultipleSummary extends SummarizedCallable {
+      private class PickMultipleSummary extends SummarizedCallable::Range {
        private MethodCall mc;

        PickMultipleSummary() {
@@ -370,7 +370,7 @@ module ActiveSupport {
        }
      }

-      private class PluckSingleSummary extends SummarizedCallable {
+      private class PluckSingleSummary extends SummarizedCallable::Range {
        private MethodCall mc;
        private string key;

@@ -390,7 +390,7 @@ module ActiveSupport {
        }
      }

-      private class PluckMultipleSummary extends SummarizedCallable {
+      private class PluckMultipleSummary extends SummarizedCallable::Range {
        private MethodCall mc;

        PluckMultipleSummary() {
@@ -424,7 +424,7 @@ module ActiveSupport {
        }
      }

-      private class SoleSummary extends SimpleSummarizedCallable {
+      private class SoleSummary extends SummarizedCallable::RangeSimple {
        SoleSummary() { this = "sole" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
@@ -458,7 +458,7 @@ module ActiveSupport {
     * `ActiveSupport::ERB::Util`
     */
    module Util {
-      private class JsonEscapeSummary extends SimpleSummarizedCallable {
+      private class JsonEscapeSummary extends SummarizedCallable::RangeSimple {
        JsonEscapeSummary() { this = "json_escape" }

        override predicate propagatesFlow(string input, string output, boolean preservesValue) {
--- a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
@@ -18,7 +18,7 @@ module Arel {
   * Flow summary for `Arel.sql`. This method wraps a SQL string, marking it as
   * safe.
   */
-  private class SqlSummary extends SummarizedCallable {
+  private class SqlSummary extends SummarizedCallable::Range {
    SqlSummary() { this = "Arel.sql" }

    override MethodCall getACall() {
@@ -44,7 +44,7 @@ module Arel {
   * Flow summary for `Arel::Nodes::SqlLiteral.new`. This method wraps a SQL string, marking it as
   * safe.
   */
-  private class SqlLiteralNewSummary extends SummarizedCallable {
+  private class SqlLiteralNewSummary extends SummarizedCallable::Range {
    SqlLiteralNewSummary() { this = "Arel::Nodes::SqlLiteral.new" }

    override MethodCall getACall() {
--- a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
@@ -57,7 +57,7 @@ class SubshellHeredocExecution extends SystemCommandExecution::Range {
  override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() }
 }

-private class SplatSummary extends SummarizedCallable {
+private class SplatSummary extends SummarizedCallable::Range {
  SplatSummary() { this = "*(splat)" }

  override SplatExpr getACallSimple() { any() }
@@ -76,7 +76,7 @@ private class SplatSummary extends SummarizedCallable {
  }
 }

-private class HashSplatSummary extends SummarizedCallable {
+private class HashSplatSummary extends SummarizedCallable::Range {
  HashSplatSummary() { this = "**(hash-splat)" }

  override HashSplatExpr getACallSimple() { any() }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll
@@ -13,7 +13,7 @@ module Erb {
  /**
   * Flow summary for `ERB.new`. This method wraps a template string, compiling it.
   */
-  private class TemplateSummary extends SummarizedCallable {
+  private class TemplateSummary extends SummarizedCallable::Range {
    TemplateSummary() { this = "ERB.new" }

    override MethodCall getACall() { result = any(ErbTemplateNewCall c).asExpr().getExpr() }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Files.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Files.qll
@@ -103,7 +103,7 @@ module File {
   * A flow summary for several methods on the `File` class that propagate taint
   * from their first argument to the return value.
   */
-  class FilePathConversionSummary extends SummarizedCallable {
+  class FilePathConversionSummary extends SummarizedCallable::Range {
    string methodName;

    FilePathConversionSummary() {
@@ -126,7 +126,7 @@ module File {
   * A flow summary for `File.join`, which propagates taint from every argument to
   * its return value.
   */
-  class FileJoinSummary extends SummarizedCallable {
+  class FileJoinSummary extends SummarizedCallable::Range {
    FileJoinSummary() { this = "File.join" }

    override MethodCall getACall() {
--- a/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll
@@ -14,7 +14,7 @@ module NetLdap {
  /**
   * Flow summary for `Net::LDAP.new`. This method establishes a connection to a LDAP server.
   */
-  private class LdapConnSummary extends SummarizedCallable {
+  private class LdapConnSummary extends SummarizedCallable::Range {
    LdapConnSummary() { this = "Net::LDAP.new" }

    override MethodCall getACall() { result = any(NetLdapConnection l).asExpr().getExpr() }
@@ -27,7 +27,7 @@ module NetLdap {
  /**
   * Flow summary for `Net::LDAP.Filter`.
   */
-  private class LdapFilterSummary extends SummarizedCallable {
+  private class LdapFilterSummary extends SummarizedCallable::Range {
    LdapFilterSummary() { this = "Net::LDAP::Filter" }

    override MethodCall getACall() { result = any(NetLdapFilter l).asExpr().getExpr() }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll
@@ -13,7 +13,7 @@ module Mysql2 {
  /**
   * Flow summary for `Mysql2::Client.new()`.
   */
-  private class SqlSummary extends SummarizedCallable {
+  private class SqlSummary extends SummarizedCallable::Range {
    SqlSummary() { this = "Mysql2::Client.new()" }

    override MethodCall getACall() { result = any(Mysql2Connection c).asExpr().getExpr() }
@@ -61,7 +61,7 @@ module Mysql2 {
  /**
   * Flow summary for `Mysql2::Client.escape()`.
   */
-  private class EscapeSummary extends SummarizedCallable {
+  private class EscapeSummary extends SummarizedCallable::Range {
    EscapeSummary() { this = "Mysql2::Client.escape()" }

    override MethodCall getACall() { result = any(Mysql2EscapeSanitization c).asExpr().getExpr() }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll
@@ -13,7 +13,7 @@ module Pg {
  /**
   * Flow summary for `PG.new()`. This method initializes a database connection.
   */
-  private class SqlSummary extends SummarizedCallable {
+  private class SqlSummary extends SummarizedCallable::Range {
    SqlSummary() { this = "PG.new()" }

    override MethodCall getACall() { result = any(PgConnection c).asExpr().getExpr() }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
@@ -330,7 +330,7 @@ private class LocalAssignsHashSyntheticGlobal extends string {
 }

 /** A summary for `render` calls linked to some specific ERB file. */
-private class RenderLocalsSummary extends SummarizedCallable {
+private class RenderLocalsSummary extends SummarizedCallable::Range {
  private LocalAssignsHashSyntheticGlobal glob;

  RenderLocalsSummary() { this = "rails_render_locals()" + glob.getId() }
@@ -345,7 +345,7 @@ private class RenderLocalsSummary extends SummarizedCallable {
 }

 /** A summary for calls to `local_assigns` in a view to access a `render` call `locals` hash. */
-private class AccessLocalsSummary extends SummarizedCallable {
+private class AccessLocalsSummary extends SummarizedCallable::Range {
  private LocalAssignsHashSyntheticGlobal glob;

  AccessLocalsSummary() { this = "rails_local_assigns()" + glob.getId() }
@@ -366,7 +366,7 @@ private string getAMethodNameFromErbFile(ErbFile f) {
  result = any(MethodCall c | c.getLocation().getFile() = f).getMethodName()
 }

-private class AccessLocalsKeySummary extends SummarizedCallable {
+private class AccessLocalsKeySummary extends SummarizedCallable::Range {
  private LocalAssignsHashSyntheticGlobal glob;
  private string methodName;

--- a/Show More
+++ b/Show More