From bedfe1e7556da2fda49aa10e6fe6d23598ca29d3 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Tue, 24 Mar 2026 22:06:53 +0000
Subject: [PATCH] Apply suggestions from code review

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../security/HardcodedCryptographicValueExtensions.qll     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
index 14482872443..7ac59c92c18 100644
--- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -134,11 +134,12 @@ module HardcodedCryptographicValue {
   /**
    * An externally modeled barrier for hard-coded cryptographic value vulnerabilities.
    *
-   * Note that a sanitizer with kind `credentials-key` will sanitize flow to
-   * all sinks, not just sinks with the same kind.
+   * Note that a barrier will block flow to all hard-coded cryptographic value
+   * sinks, regardless of the `kind` that is specified. For example a barrier of
+   * kind `credentials-key` will block flow to a sink of kind `credentials-iv`.
    */
   private class ModelsAsDataBarrier extends Barrier {
-    ModelsAsDataBarrier() { exists(string kind | barrierNode(this, "credentials-" + kind)) }
+    ModelsAsDataBarrier() { exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) }
   }
 
   /**