Merge branch 'main' into post-release-prep/codeql-cli-2.22.2

2026-04-25 16:55:19 +02:00 · 2025-07-22 10:30:14 -04:00
parent 37cc78255a 6efc19daac
commit dd8d04bb94
26 changed files with 3435 additions and 2707 deletions
--- a/rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected
+++ b/rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected
@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
--- a/rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected
+++ b/rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected
@@ -16,6 +16,7 @@ ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
--- a/rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected
+++ b/rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected
@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
--- a/rust/ql/lib/codeql/rust/frameworks/genericarray.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/genericarray.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["<generic_array::GenericArray>::from_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::from_mut_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::try_from_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::try_from_mut_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
--- a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml
@@ -8,3 +8,28 @@ extensions:
      - ["<_ as digest::digest::Digest>::chain_update", "Argument[0]", "hasher-input", "manual"]
      - ["<_ as digest::digest::Digest>::digest", "Argument[0]", "hasher-input", "manual"]
      - ["md5::compute", "Argument[0]", "hasher-input", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as aead::Aead>::encrypt", "Argument[0]", "credentials-nonce", "manual"]
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -3,6 +3,12 @@ extensions:
      pack: codeql/rust-all
      extensible: summaryModel
    data:
+      # Conversions
+      - ["<core::alloc::layout::Layout>::align_to", "Argument[self].Element", "ReturnValue.Field[0,1,2].Reference.Element", "taint", "manual"]
+      - ["<_ as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<_ as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
      # Iterator
      - ["<core::result::Result>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
      - ["<alloc::vec::Vec as value_trait::array::Array>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
@@ -59,6 +65,8 @@ extensions:
      pack: codeql/rust-all
      extensible: sourceModel
    data:
+      # Mem
+      - ["core::mem::zeroed", "ReturnValue.Element", "constant-source", "manual"]
      # Ptr
      - ["core::ptr::drop_in_place", "Argument[0]", "pointer-invalidate", "manual"]
      - ["core::ptr::dangling", "ReturnValue", "pointer-invalidate", "manual"]
--- a/rust/ql/lib/codeql/rust/internal/PathResolution.qll
+++ b/rust/ql/lib/codeql/rust/internal/PathResolution.qll
@@ -112,13 +112,18 @@ abstract class ItemNode extends Locatable {
    result = this.(SourceFileItemNode).getSuper()
  }

+  pragma[nomagic]
+  private ItemNode getAChildSuccessor(string name) {
+    this = result.getImmediateParent() and
+    name = result.getName()
+  }
+
  cached
  ItemNode getASuccessorRec(string name) {
    Stages::PathResolutionStage::ref() and
    sourceFileEdge(this, name, result)
    or
-    this = result.getImmediateParent() and
-    name = result.getName()
+    result = this.getAChildSuccessor(name)
    or
    fileImportEdge(this, name, result)
    or
@@ -224,6 +229,38 @@ abstract class ItemNode extends Locatable {
    result.(CrateItemNode).isPotentialDollarCrateTarget()
  }

+  /**
+   * Holds if the successor `item` with the name `name` is not available locally
+   * for unqualified paths.
+   *
+   * This has the effect that a path of the form `name` inside `this` will not
+   * resolve to `item`.
+   */
+  pragma[nomagic]
+  predicate excludedLocally(string name, ItemNode item) {
+    // Associated items in an impl or trait block are not directly available
+    // inside the block, they require a qualified path with a `Self` prefix.
+    item = this.getAChildSuccessor(name) and
+    this instanceof ImplOrTraitItemNode and
+    item instanceof AssocItemNode
+  }
+
+  /**
+   * Holds if the successor `item` with the name `name` is not available
+   * externally for qualified paths that resolve to this item.
+   *
+   * This has the effect that a path of the form `Qualifier::name`, where
+   * `Qualifier` resolves to this item, will not resolve to `item`.
+   */
+  pragma[nomagic]
+  predicate excludedExternally(string name, ItemNode item) {
+    // Type parameters for an `impl` or trait block are not available outside of
+    // the block.
+    item = this.getAChildSuccessor(name) and
+    this instanceof ImplOrTraitItemNode and
+    item instanceof TypeParamItemNode
+  }
+
  pragma[nomagic]
  private predicate hasSourceFunction(string name) {
    this.getASuccessorFull(name).(Function).fromSource()
@@ -1145,7 +1182,9 @@ pragma[nomagic]
 private predicate declares(ItemNode item, Namespace ns, string name) {
  exists(ItemNode child | child.getImmediateParent() = item |
    child.getName() = name and
-    child.getNamespace() = ns
+    child.getNamespace() = ns and
+    // If `item` is excluded locally then it does not declare `name`.
+    not item.excludedLocally(name, child)
    or
    useTreeDeclares(child.(Use).getUseTree(), name) and
    exists(ns) // `use foo::bar` can refer to both a value and a type
@@ -1193,38 +1232,27 @@ private ItemNode getOuterScope(ItemNode i) {
  result = i.getImmediateParent()
 }

-pragma[nomagic]
-private ItemNode getAdjustedEnclosing(ItemNode encl0, Namespace ns) {
-  // functions in `impl` blocks need to use explicit `Self::` to access other
-  // functions in the `impl` block
-  if encl0 instanceof ImplOrTraitItemNode and ns.isValue()
-  then result = encl0.getImmediateParent()
-  else result = encl0
-}
-
 /**
 * Holds if the unqualified path `p` references an item named `name`, and `name`
 * may be looked up in the `ns` namespace inside enclosing item `encl`.
 */
 pragma[nomagic]
 private predicate unqualifiedPathLookup(ItemNode encl, string name, Namespace ns, RelevantPath p) {
-  exists(ItemNode encl0 | encl = getAdjustedEnclosing(encl0, ns) |
-    // lookup in the immediately enclosing item
-    p.isUnqualified(name) and
-    encl0.getADescendant() = p and
-    exists(ns) and
-    not name = ["crate", "$crate", "super", "self"]
-    or
-    // lookup in an outer scope, but only if the item is not declared in inner scope
-    exists(ItemNode mid |
-      unqualifiedPathLookup(mid, name, ns, p) and
-      not declares(mid, ns, name) and
-      not (
-        name = "Self" and
-        mid = any(ImplOrTraitItemNode i).getAnItemInSelfScope()
-      ) and
-      encl0 = getOuterScope(mid)
-    )
+  // lookup in the immediately enclosing item
+  p.isUnqualified(name) and
+  encl.getADescendant() = p and
+  exists(ns) and
+  not name = ["crate", "$crate", "super", "self"]
+  or
+  // lookup in an outer scope, but only if the item is not declared in inner scope
+  exists(ItemNode mid |
+    unqualifiedPathLookup(mid, name, ns, p) and
+    not declares(mid, ns, name) and
+    not (
+      name = "Self" and
+      mid = any(ImplOrTraitItemNode i).getAnItemInSelfScope()
+    ) and
+    encl = getOuterScope(mid)
  )
 }

@@ -1245,10 +1273,10 @@ private predicate sourceFileHasCratePathTc(ItemNode i1, ItemNode i2) =

 /**
 * Holds if the unqualified path `p` references a keyword item named `name`, and
- * `name` may be looked up in the `ns` namespace inside enclosing item `encl`.
+ * `name` may be looked up inside enclosing item `encl`.
 */
 pragma[nomagic]
-private predicate keywordLookup(ItemNode encl, string name, Namespace ns, RelevantPath p) {
+private predicate keywordLookup(ItemNode encl, string name, RelevantPath p) {
  // For `($)crate`, jump directly to the root module
  exists(ItemNode i | p.isCratePath(name, i) |
    encl instanceof SourceFile and
@@ -1259,18 +1287,17 @@ private predicate keywordLookup(ItemNode encl, string name, Namespace ns, Releva
  or
  name = ["super", "self"] and
  p.isUnqualified(name) and
-  exists(ItemNode encl0 |
-    encl0.getADescendant() = p and
-    encl = getAdjustedEnclosing(encl0, ns)
-  )
+  encl.getADescendant() = p
 }

 pragma[nomagic]
 private ItemNode unqualifiedPathLookup(RelevantPath p, Namespace ns) {
-  exists(ItemNode encl, string name | result = getASuccessorFull(encl, name, ns) |
+  exists(ItemNode encl, string name |
+    result = getASuccessorFull(encl, name, ns) and not encl.excludedLocally(name, result)
+  |
    unqualifiedPathLookup(encl, name, ns, p)
    or
-    keywordLookup(encl, name, ns, p)
+    keywordLookup(encl, name, p) and exists(ns)
  )
 }

@@ -1291,7 +1318,8 @@ private ItemNode resolvePath0(RelevantPath path, Namespace ns) {
  or
  exists(ItemNode q, string name |
    q = resolvePathQualifier(path, name) and
-    result = getASuccessorFull(q, name, ns)
+    result = getASuccessorFull(q, name, ns) and
+    not q.excludedExternally(name, result)
  )
  or
  result = resolveUseTreeListItem(_, _, path) and
--- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
@@ -5,7 +5,7 @@

 import rust
 private import codeql.rust.dataflow.DataFlow
-private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.security.SensitiveData
 private import codeql.rust.Concepts

--- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -0,0 +1,109 @@
+/**
+ * Provides classes and predicates for reasoning about hard-coded cryptographic value
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.rust.security.SensitiveData
+
+/**
+ * A kind of cryptographic value.
+ */
+class CryptographicValueKind extends string {
+  CryptographicValueKind() { this = ["password", "key", "iv", "nonce", "salt"] }
+
+  /**
+   * Gets a description of this value kind for user-facing messages.
+   */
+  string getDescription() {
+    this = "password" and result = "a password"
+    or
+    this = "key" and result = "a key"
+    or
+    this = "iv" and result = "an initialization vector"
+    or
+    this = "nonce" and result = "a nonce"
+    or
+    this = "salt" and result = "a salt"
+  }
+}
+
+/**
+ * Provides default sources, sinks and barriers for detecting hard-coded cryptographic
+ * value vulnerabilities, as well as extension points for adding your own.
+ */
+module HardcodedCryptographicValue {
+  /**
+   * A data flow source for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "HardcodedCryptographicValue" }
+
+    /**
+     * Gets the kind of credential this sink is interpreted as.
+     */
+    abstract CryptographicValueKind getKind();
+  }
+
+  /**
+   * A barrier for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A literal, considered as a flow source.
+   */
+  private class LiteralSource extends Source {
+    LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr }
+  }
+
+  /**
+   * An array initialized from a list of literals, considered as a single flow source. For example:
+   * ```
+   * `[0, 0, 0, 0]`
+   * ```
+   */
+  private class ArrayListSource extends Source {
+    ArrayListSource() { this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr }
+  }
+
+  /**
+   * An externally modeled source for constant values.
+   */
+  private class ModeledSource extends Source {
+    ModeledSource() { sourceNode(this, "constant-source") }
+  }
+
+  /**
+   * An externally modeled sink for hard-coded cryptographic value vulnerabilities.
+   */
+  private class ModelsAsDataSinks extends Sink {
+    CryptographicValueKind kind;
+
+    ModelsAsDataSinks() { sinkNode(this, "credentials-" + kind) }
+
+    override CryptographicValueKind getKind() { result = kind }
+  }
+
+  /**
+   * A call to `getrandom` that is a barrier.
+   */
+  private class GetRandomBarrier extends Barrier {
+    GetRandomBarrier() {
+      exists(CallExprBase ce |
+        ce.getStaticTarget().(Addressable).getCanonicalPath() =
+          ["getrandom::fill", "getrandom::getrandom"] and
+        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0)
+      )
+    }
+  }
+}
--- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
@@ -6,7 +6,7 @@

 import rust
 private import codeql.rust.dataflow.DataFlow
-private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.util.Unit

--- a/rust/ql/src/change-notes/2025-06-24-hardcoded-cryptographic-value.md
+++ b/rust/ql/src/change-notes/2025-06-24-hardcoded-cryptographic-value.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/hardcoded-crytographic-value`, for detecting use of hardcoded keys, passwords, salts and initialization vectors.
--- a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp
+++ b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp
@@ -0,0 +1,58 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Hard-coded passwords, keys, initialization vectors, and salts should not be used for cryptographic operations.
+</p>
+<ul>
+  <li>
+    Attackers can easily recover hard-coded values if they have access to the source code or compiled executable.
+  </li>
+  <li>
+    Some hard-coded values are easily guessable.
+  </li>
+  <li>
+    Use of hard-coded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
+  </li>
+</ul>
+
+</overview>
+<recommendation>
+
+<p>
+Use randomly generated key material, initialization vectors, and salts. Use strong passwords that are not hard-coded.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+The following example shows instantiating a cipher with hard-coded key material, making the encrypted data vulnerable to recovery.
+</p>
+
+<sample src="HardcodedCryptographicValueBad.rs" />
+
+<p>
+In the fixed code below, the key material is randomly generated and not hard-coded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
+</p>
+
+<sample src="HardcodedCryptographicValueGood.rs" />
+
+</example>
+<references>
+
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
+</li>
+<li>
+OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
+<li>
+O'Reilly: <a href="https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html">Using Salts, Nonces, and Initialization Vectors</a>.
+</li>
+
+</references>
+</qhelp>
--- a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
+++ b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
@@ -0,0 +1,58 @@
+/**
+ * @name Hard-coded cryptographic value
+ * @description Using hard-coded keys, passwords, salts or initialization
+ *              vectors is not secure.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 9.8
+ * @precision high
+ * @id rust/hard-coded-cryptographic-value
+ * @tags security
+ *       external/cwe/cwe-259
+ *       external/cwe/cwe-321
+ *       external/cwe/cwe-798
+ *       external/cwe/cwe-1204
+ */
+
+import rust
+import codeql.rust.security.HardcodedCryptographicValueExtensions
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.dataflow.internal.DataFlowImpl
+import codeql.rust.dataflow.internal.Content
+
+/**
+ * A taint-tracking configuration for hard-coded cryptographic value vulnerabilities.
+ */
+module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
+  import HardcodedCryptographicValue
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    // (this combined with sources for `ArrayListExpr` means we only get one source in
+    //  case like `[0, 0, 0, 0]`)
+    isSource(node)
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from reference content at sinks.
+    isSink(node) and
+    c.getAReadContent() instanceof ReferenceContent
+  }
+}
+
+module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;
+
+import HardcodedCryptographicValueFlow::PathGraph
+
+from
+  HardcodedCryptographicValueFlow::PathNode source, HardcodedCryptographicValueFlow::PathNode sink
+where HardcodedCryptographicValueFlow::flowPath(source, sink)
+select source.getNode(), source, sink, "This hard-coded value is used as $@.", sink,
+  sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind().getDescription()
--- a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs
+++ b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs
@@ -0,0 +1,2 @@
+let key: [u8;32] = [0;32]; // BAD: Using hard-coded keys for encryption
+let cipher = Aes256Gcm::new(&key.into());
--- a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs
+++ b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs
@@ -0,0 +1,2 @@
+let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
+let cipher = Aes256Gcm::new(&key);
--- a/rust/ql/src/queries/summary/Stats.qll
+++ b/rust/ql/src/queries/summary/Stats.qll
@@ -25,6 +25,7 @@ private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.TaintedPathExtensions
 private import codeql.rust.security.UncontrolledAllocationSizeExtensions
 private import codeql.rust.security.WeakSensitiveDataHashingExtensions
+private import codeql.rust.security.HardcodedCryptographicValueExtensions

 /**
 * Gets a count of the total number of lines of code in the database.
--- a/rust/ql/test/library-tests/path-resolution/main.rs
+++ b/rust/ql/test/library-tests/path-resolution/main.rs
@@ -636,6 +636,60 @@ impl AStruct // $ item=I123
    pub fn z(&self) {} // I125
 }

+mod associated_types {
+    use std::marker::PhantomData; // $ item=PhantomData
+    use std::result::Result; // $ item=Result
+
+    trait Reduce {
+        type Input; // ReduceInput
+        type Error; // ReduceError
+        type Output; // ReduceOutput
+        fn feed(
+            &mut self,
+            item: Self::Input, // $ item=ReduceInput
+        ) -> Result<Self::Output, Self::Error>; // $ item=Result item=ReduceOutput item=ReduceError
+    } // IReduce
+
+    struct MyImpl<Input, Error> {
+        _input: PhantomData<Input>, // $ item=PhantomData item=Input
+        _error: PhantomData<Error>, // $ item=PhantomData item=Error
+    } // MyImpl
+
+    #[rustfmt::skip]
+    impl<
+            Input, // IInput
+            Error, // IError
+        > Reduce // $ item=IReduce
+        for MyImpl<
+            Input, // $ item=IInput
+            Error, // $ item=IError
+        > // $ item=MyImpl
+    {
+        type Input = Result<
+            Input,       // $ item=IInput
+            Self::Error, // $ item=IErrorAssociated
+        > // $ item=Result
+        ; // IInputAssociated
+        type Error = Option<
+          Error // $ item=IError
+        > // $ item=Option
+        ; // IErrorAssociated
+        type Output =
+            Input // $ item=IInput
+        ; // IOutputAssociated
+
+        fn feed(
+            &mut self,
+            item: Self::Input // $ item=IInputAssociated
+        ) -> Result<
+            Self::Output, // $ item=IOutputAssociated
+            Self::Error // $ item=IErrorAssociated
+        > { // $ item=Result
+            item
+        }
+    }
+}
+
 use std::{self as ztd}; // $ item=std

 fn use_ztd(x: ztd::string::String) {} // $ item=String
--- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected
+++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected
@@ -28,6 +28,7 @@ mod
 | main.rs:509:5:524:5 | mod m33 |
 | main.rs:527:1:552:1 | mod m23 |
 | main.rs:554:1:622:1 | mod m24 |
+| main.rs:639:1:691:1 | mod associated_types |
 | my2/mod.rs:1:1:1:16 | mod nested2 |
 | my2/mod.rs:12:1:12:12 | mod my3 |
 | my2/mod.rs:14:1:15:10 | mod mymod |
@@ -61,7 +62,7 @@ resolvePath
 | main.rs:30:17:30:21 | super | main.rs:18:5:36:5 | mod m2 |
 | main.rs:30:17:30:24 | ...::f | main.rs:19:9:21:9 | fn f |
 | main.rs:33:17:33:17 | f | main.rs:19:9:21:9 | fn f |
-| main.rs:40:9:40:13 | super | main.rs:1:1:677:2 | SourceFile |
+| main.rs:40:9:40:13 | super | main.rs:1:1:731:2 | SourceFile |
 | main.rs:40:9:40:17 | ...::m1 | main.rs:13:1:37:1 | mod m1 |
 | main.rs:40:9:40:21 | ...::m2 | main.rs:18:5:36:5 | mod m2 |
 | main.rs:40:9:40:24 | ...::g | main.rs:23:9:27:9 | fn g |
@@ -73,7 +74,7 @@ resolvePath
 | main.rs:61:17:61:19 | Foo | main.rs:59:9:59:21 | struct Foo |
 | main.rs:64:13:64:15 | Foo | main.rs:53:5:53:17 | struct Foo |
 | main.rs:66:5:66:5 | f | main.rs:55:5:62:5 | fn f |
-| main.rs:68:5:68:8 | self | main.rs:1:1:677:2 | SourceFile |
+| main.rs:68:5:68:8 | self | main.rs:1:1:731:2 | SourceFile |
 | main.rs:68:5:68:11 | ...::i | main.rs:71:1:83:1 | fn i |
 | main.rs:74:13:74:15 | Foo | main.rs:48:1:48:13 | struct Foo |
 | main.rs:78:16:78:18 | i32 | {EXTERNAL LOCATION} | struct i32 |
@@ -88,7 +89,7 @@ resolvePath
 | main.rs:87:57:87:66 | ...::g | my2/nested2.rs:7:9:9:9 | fn g |
 | main.rs:87:80:87:86 | nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 |
 | main.rs:100:5:100:22 | f_defined_in_macro | main.rs:99:18:99:42 | fn f_defined_in_macro |
-| main.rs:117:13:117:17 | super | main.rs:1:1:677:2 | SourceFile |
+| main.rs:117:13:117:17 | super | main.rs:1:1:731:2 | SourceFile |
 | main.rs:117:13:117:21 | ...::m5 | main.rs:103:1:107:1 | mod m5 |
 | main.rs:118:9:118:9 | f | main.rs:104:5:106:5 | fn f |
 | main.rs:118:9:118:9 | f | main.rs:110:5:112:5 | fn f |
@@ -276,74 +277,109 @@ resolvePath
 | main.rs:635:7:635:16 | proc_macro | {EXTERNAL LOCATION} | Crate(proc_macro@0.0.0) |
 | main.rs:635:7:635:16 | proc_macro | proc_macro.rs:0:0:0:0 | Crate(proc_macro@0.0.1) |
 | main.rs:635:7:635:28 | ...::add_suffix | proc_macro.rs:4:1:12:1 | fn add_suffix |
-| main.rs:639:5:639:7 | std | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
-| main.rs:639:11:639:14 | self | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
-| main.rs:641:15:641:17 | ztd | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
-| main.rs:641:15:641:25 | ...::string | {EXTERNAL LOCATION} | mod string |
-| main.rs:641:15:641:33 | ...::String | {EXTERNAL LOCATION} | struct String |
-| main.rs:644:5:644:6 | my | main.rs:1:1:1:7 | mod my |
-| main.rs:644:5:644:14 | ...::nested | my.rs:1:1:1:15 | mod nested |
-| main.rs:644:5:644:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 |
-| main.rs:644:5:644:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 |
-| main.rs:644:5:644:35 | ...::f | my/nested.rs:3:9:5:9 | fn f |
-| main.rs:645:5:645:6 | my | main.rs:1:1:1:7 | mod my |
-| main.rs:645:5:645:9 | ...::f | my.rs:5:1:7:1 | fn f |
-| main.rs:646:5:646:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 |
-| main.rs:646:5:646:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 |
-| main.rs:646:5:646:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 |
-| main.rs:646:5:646:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f |
-| main.rs:647:5:647:5 | f | my2/nested2.rs:3:9:5:9 | fn f |
-| main.rs:648:5:648:5 | g | my2/nested2.rs:7:9:9:9 | fn g |
-| main.rs:649:5:649:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) |
-| main.rs:649:5:649:12 | ...::h | main.rs:50:1:69:1 | fn h |
-| main.rs:650:5:650:6 | m1 | main.rs:13:1:37:1 | mod m1 |
-| main.rs:650:5:650:10 | ...::m2 | main.rs:18:5:36:5 | mod m2 |
-| main.rs:650:5:650:13 | ...::g | main.rs:23:9:27:9 | fn g |
-| main.rs:651:5:651:6 | m1 | main.rs:13:1:37:1 | mod m1 |
-| main.rs:651:5:651:10 | ...::m2 | main.rs:18:5:36:5 | mod m2 |
-| main.rs:651:5:651:14 | ...::m3 | main.rs:29:9:35:9 | mod m3 |
-| main.rs:651:5:651:17 | ...::h | main.rs:30:27:34:13 | fn h |
-| main.rs:652:5:652:6 | m4 | main.rs:39:1:46:1 | mod m4 |
-| main.rs:652:5:652:9 | ...::i | main.rs:42:5:45:5 | fn i |
-| main.rs:653:5:653:5 | h | main.rs:50:1:69:1 | fn h |
-| main.rs:654:5:654:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f |
-| main.rs:655:5:655:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g |
-| main.rs:656:5:656:5 | j | main.rs:97:1:101:1 | fn j |
-| main.rs:657:5:657:6 | m6 | main.rs:109:1:120:1 | mod m6 |
-| main.rs:657:5:657:9 | ...::g | main.rs:114:5:119:5 | fn g |
-| main.rs:658:5:658:6 | m7 | main.rs:122:1:141:1 | mod m7 |
-| main.rs:658:5:658:9 | ...::f | main.rs:133:5:140:5 | fn f |
-| main.rs:659:5:659:6 | m8 | main.rs:143:1:197:1 | mod m8 |
-| main.rs:659:5:659:9 | ...::g | main.rs:181:5:196:5 | fn g |
-| main.rs:660:5:660:6 | m9 | main.rs:199:1:207:1 | mod m9 |
-| main.rs:660:5:660:9 | ...::f | main.rs:202:5:206:5 | fn f |
-| main.rs:661:5:661:7 | m11 | main.rs:230:1:267:1 | mod m11 |
-| main.rs:661:5:661:10 | ...::f | main.rs:235:5:238:5 | fn f |
-| main.rs:662:5:662:7 | m15 | main.rs:298:1:352:1 | mod m15 |
-| main.rs:662:5:662:10 | ...::f | main.rs:339:5:351:5 | fn f |
-| main.rs:663:5:663:7 | m16 | main.rs:354:1:446:1 | mod m16 |
-| main.rs:663:5:663:10 | ...::f | main.rs:421:5:445:5 | fn f |
-| main.rs:664:5:664:7 | m17 | main.rs:448:1:478:1 | mod m17 |
-| main.rs:664:5:664:10 | ...::f | main.rs:472:5:477:5 | fn f |
-| main.rs:665:5:665:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 |
-| main.rs:665:5:665:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f |
-| main.rs:666:5:666:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 |
-| main.rs:666:5:666:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f |
-| main.rs:667:5:667:7 | my3 | my2/mod.rs:12:1:12:12 | mod my3 |
-| main.rs:667:5:667:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f |
-| main.rs:668:5:668:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f |
-| main.rs:669:5:669:7 | m18 | main.rs:480:1:498:1 | mod m18 |
-| main.rs:669:5:669:12 | ...::m19 | main.rs:485:5:497:5 | mod m19 |
-| main.rs:669:5:669:17 | ...::m20 | main.rs:490:9:496:9 | mod m20 |
-| main.rs:669:5:669:20 | ...::g | main.rs:491:13:495:13 | fn g |
-| main.rs:670:5:670:7 | m23 | main.rs:527:1:552:1 | mod m23 |
-| main.rs:670:5:670:10 | ...::f | main.rs:547:5:551:5 | fn f |
-| main.rs:671:5:671:7 | m24 | main.rs:554:1:622:1 | mod m24 |
-| main.rs:671:5:671:10 | ...::f | main.rs:608:5:621:5 | fn f |
-| main.rs:672:5:672:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) |
-| main.rs:672:5:672:11 | ...::h | main.rs:50:1:69:1 | fn h |
-| main.rs:674:5:674:11 | AStruct | main.rs:629:1:629:17 | struct AStruct |
-| main.rs:675:5:675:11 | AStruct | main.rs:629:1:629:17 | struct AStruct |
+| main.rs:640:9:640:11 | std | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
+| main.rs:640:9:640:19 | ...::marker | {EXTERNAL LOCATION} | mod marker |
+| main.rs:640:9:640:32 | ...::PhantomData | {EXTERNAL LOCATION} | struct PhantomData |
+| main.rs:641:9:641:11 | std | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
+| main.rs:641:9:641:19 | ...::result | {EXTERNAL LOCATION} | mod result |
+| main.rs:641:9:641:27 | ...::Result | {EXTERNAL LOCATION} | enum Result |
+| main.rs:649:19:649:22 | Self | main.rs:643:5:651:5 | trait Reduce |
+| main.rs:649:19:649:29 | ...::Input | main.rs:644:9:644:19 | type Input |
+| main.rs:650:14:650:46 | Result::<...> | {EXTERNAL LOCATION} | enum Result |
+| main.rs:650:21:650:24 | Self | main.rs:643:5:651:5 | trait Reduce |
+| main.rs:650:21:650:32 | ...::Output | main.rs:645:21:646:20 | type Output |
+| main.rs:650:35:650:38 | Self | main.rs:643:5:651:5 | trait Reduce |
+| main.rs:650:35:650:45 | ...::Error | main.rs:644:21:645:19 | type Error |
+| main.rs:654:17:654:34 | PhantomData::<...> | {EXTERNAL LOCATION} | struct PhantomData |
+| main.rs:654:29:654:33 | Input | main.rs:653:19:653:23 | Input |
+| main.rs:655:17:655:34 | PhantomData::<...> | {EXTERNAL LOCATION} | struct PhantomData |
+| main.rs:655:29:655:33 | Error | main.rs:653:26:653:30 | Error |
+| main.rs:662:11:662:16 | Reduce | main.rs:643:5:651:5 | trait Reduce |
+| main.rs:663:13:666:9 | MyImpl::<...> | main.rs:653:5:656:5 | struct MyImpl |
+| main.rs:664:13:664:17 | Input | main.rs:660:13:660:17 | Input |
+| main.rs:665:13:665:17 | Error | main.rs:661:13:661:17 | Error |
+| main.rs:668:22:671:9 | Result::<...> | {EXTERNAL LOCATION} | enum Result |
+| main.rs:669:13:669:17 | Input | main.rs:660:13:660:17 | Input |
+| main.rs:670:13:670:16 | Self | main.rs:658:5:690:5 | impl Reduce for MyImpl::<...> { ... } |
+| main.rs:670:13:670:23 | ...::Error | main.rs:672:11:676:9 | type Error |
+| main.rs:673:22:675:9 | Option::<...> | {EXTERNAL LOCATION} | enum Option |
+| main.rs:674:11:674:15 | Error | main.rs:661:13:661:17 | Error |
+| main.rs:678:13:678:17 | Input | main.rs:660:13:660:17 | Input |
+| main.rs:683:19:683:22 | Self | main.rs:658:5:690:5 | impl Reduce for MyImpl::<...> { ... } |
+| main.rs:683:19:683:29 | ...::Input | main.rs:668:9:672:9 | type Input |
+| main.rs:684:14:687:9 | Result::<...> | {EXTERNAL LOCATION} | enum Result |
+| main.rs:685:13:685:16 | Self | main.rs:658:5:690:5 | impl Reduce for MyImpl::<...> { ... } |
+| main.rs:685:13:685:24 | ...::Output | main.rs:676:11:679:9 | type Output |
+| main.rs:686:13:686:16 | Self | main.rs:658:5:690:5 | impl Reduce for MyImpl::<...> { ... } |
+| main.rs:686:13:686:23 | ...::Error | main.rs:672:11:676:9 | type Error |
+| main.rs:693:5:693:7 | std | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
+| main.rs:693:11:693:14 | self | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
+| main.rs:695:15:695:17 | ztd | {EXTERNAL LOCATION} | Crate(std@0.0.0) |
+| main.rs:695:15:695:25 | ...::string | {EXTERNAL LOCATION} | mod string |
+| main.rs:695:15:695:33 | ...::String | {EXTERNAL LOCATION} | struct String |
+| main.rs:698:5:698:6 | my | main.rs:1:1:1:7 | mod my |
+| main.rs:698:5:698:14 | ...::nested | my.rs:1:1:1:15 | mod nested |
+| main.rs:698:5:698:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 |
+| main.rs:698:5:698:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 |
+| main.rs:698:5:698:35 | ...::f | my/nested.rs:3:9:5:9 | fn f |
+| main.rs:699:5:699:6 | my | main.rs:1:1:1:7 | mod my |
+| main.rs:699:5:699:9 | ...::f | my.rs:5:1:7:1 | fn f |
+| main.rs:700:5:700:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 |
+| main.rs:700:5:700:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 |
+| main.rs:700:5:700:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 |
+| main.rs:700:5:700:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f |
+| main.rs:701:5:701:5 | f | my2/nested2.rs:3:9:5:9 | fn f |
+| main.rs:702:5:702:5 | g | my2/nested2.rs:7:9:9:9 | fn g |
+| main.rs:703:5:703:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) |
+| main.rs:703:5:703:12 | ...::h | main.rs:50:1:69:1 | fn h |
+| main.rs:704:5:704:6 | m1 | main.rs:13:1:37:1 | mod m1 |
+| main.rs:704:5:704:10 | ...::m2 | main.rs:18:5:36:5 | mod m2 |
+| main.rs:704:5:704:13 | ...::g | main.rs:23:9:27:9 | fn g |
+| main.rs:705:5:705:6 | m1 | main.rs:13:1:37:1 | mod m1 |
+| main.rs:705:5:705:10 | ...::m2 | main.rs:18:5:36:5 | mod m2 |
+| main.rs:705:5:705:14 | ...::m3 | main.rs:29:9:35:9 | mod m3 |
+| main.rs:705:5:705:17 | ...::h | main.rs:30:27:34:13 | fn h |
+| main.rs:706:5:706:6 | m4 | main.rs:39:1:46:1 | mod m4 |
+| main.rs:706:5:706:9 | ...::i | main.rs:42:5:45:5 | fn i |
+| main.rs:707:5:707:5 | h | main.rs:50:1:69:1 | fn h |
+| main.rs:708:5:708:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f |
+| main.rs:709:5:709:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g |
+| main.rs:710:5:710:5 | j | main.rs:97:1:101:1 | fn j |
+| main.rs:711:5:711:6 | m6 | main.rs:109:1:120:1 | mod m6 |
+| main.rs:711:5:711:9 | ...::g | main.rs:114:5:119:5 | fn g |
+| main.rs:712:5:712:6 | m7 | main.rs:122:1:141:1 | mod m7 |
+| main.rs:712:5:712:9 | ...::f | main.rs:133:5:140:5 | fn f |
+| main.rs:713:5:713:6 | m8 | main.rs:143:1:197:1 | mod m8 |
+| main.rs:713:5:713:9 | ...::g | main.rs:181:5:196:5 | fn g |
+| main.rs:714:5:714:6 | m9 | main.rs:199:1:207:1 | mod m9 |
+| main.rs:714:5:714:9 | ...::f | main.rs:202:5:206:5 | fn f |
+| main.rs:715:5:715:7 | m11 | main.rs:230:1:267:1 | mod m11 |
+| main.rs:715:5:715:10 | ...::f | main.rs:235:5:238:5 | fn f |
+| main.rs:716:5:716:7 | m15 | main.rs:298:1:352:1 | mod m15 |
+| main.rs:716:5:716:10 | ...::f | main.rs:339:5:351:5 | fn f |
+| main.rs:717:5:717:7 | m16 | main.rs:354:1:446:1 | mod m16 |
+| main.rs:717:5:717:10 | ...::f | main.rs:421:5:445:5 | fn f |
+| main.rs:718:5:718:7 | m17 | main.rs:448:1:478:1 | mod m17 |
+| main.rs:718:5:718:10 | ...::f | main.rs:472:5:477:5 | fn f |
+| main.rs:719:5:719:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 |
+| main.rs:719:5:719:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f |
+| main.rs:720:5:720:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 |
+| main.rs:720:5:720:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f |
+| main.rs:721:5:721:7 | my3 | my2/mod.rs:12:1:12:12 | mod my3 |
+| main.rs:721:5:721:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f |
+| main.rs:722:5:722:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f |
+| main.rs:723:5:723:7 | m18 | main.rs:480:1:498:1 | mod m18 |
+| main.rs:723:5:723:12 | ...::m19 | main.rs:485:5:497:5 | mod m19 |
+| main.rs:723:5:723:17 | ...::m20 | main.rs:490:9:496:9 | mod m20 |
+| main.rs:723:5:723:20 | ...::g | main.rs:491:13:495:13 | fn g |
+| main.rs:724:5:724:7 | m23 | main.rs:527:1:552:1 | mod m23 |
+| main.rs:724:5:724:10 | ...::f | main.rs:547:5:551:5 | fn f |
+| main.rs:725:5:725:7 | m24 | main.rs:554:1:622:1 | mod m24 |
+| main.rs:725:5:725:10 | ...::f | main.rs:608:5:621:5 | fn f |
+| main.rs:726:5:726:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) |
+| main.rs:726:5:726:11 | ...::h | main.rs:50:1:69:1 | fn h |
+| main.rs:728:5:728:11 | AStruct | main.rs:629:1:629:17 | struct AStruct |
+| main.rs:729:5:729:11 | AStruct | main.rs:629:1:629:17 | struct AStruct |
 | my2/mod.rs:5:5:5:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 |
 | my2/mod.rs:5:5:5:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 |
 | my2/mod.rs:5:5:5:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 |
@@ -359,7 +395,7 @@ resolvePath
 | my2/my3/mod.rs:3:5:3:5 | g | my2/mod.rs:3:1:6:1 | fn g |
 | my2/my3/mod.rs:4:5:4:5 | h | main.rs:50:1:69:1 | fn h |
 | my2/my3/mod.rs:7:5:7:9 | super | my2/mod.rs:1:1:17:30 | SourceFile |
-| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:677:2 | SourceFile |
+| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:731:2 | SourceFile |
 | my2/my3/mod.rs:7:5:7:19 | ...::h | main.rs:50:1:69:1 | fn h |
 | my2/my3/mod.rs:8:5:8:9 | super | my2/mod.rs:1:1:17:30 | SourceFile |
 | my2/my3/mod.rs:8:5:8:12 | ...::g | my2/mod.rs:3:1:6:1 | fn g |
--- a/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
+++ b/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,8 +1,8 @@
 multipleCallTargets
 | dereference.rs:61:15:61:24 | e1.deref() |
-| main.rs:2186:13:2186:31 | ...::from(...) |
-| main.rs:2187:13:2187:31 | ...::from(...) |
-| main.rs:2188:13:2188:31 | ...::from(...) |
-| main.rs:2194:13:2194:31 | ...::from(...) |
-| main.rs:2195:13:2195:31 | ...::from(...) |
-| main.rs:2196:13:2196:31 | ...::from(...) |
+| main.rs:2213:13:2213:31 | ...::from(...) |
+| main.rs:2214:13:2214:31 | ...::from(...) |
+| main.rs:2215:13:2215:31 | ...::from(...) |
+| main.rs:2221:13:2221:31 | ...::from(...) |
+| main.rs:2222:13:2222:31 | ...::from(...) |
+| main.rs:2223:13:2223:31 | ...::from(...) |
--- a/rust/ql/test/library-tests/type-inference/main.rs
+++ b/rust/ql/test/library-tests/type-inference/main.rs
@@ -1042,6 +1042,23 @@ mod type_aliases {

    type S7<T7> = Result<S6<T7>, S1>;

+    struct GenS<GenT>(GenT);
+
+    trait TraitWithAssocType {
+        type Output;
+        fn get_input(self) -> Self::Output;
+    }
+
+    impl<Output> TraitWithAssocType for GenS<Output> {
+        // This is not a recursive type, the `Output` on the right-hand side
+        // refers to the type parameter of the impl block just above.
+        type Output = Result<Output, Output>;
+
+        fn get_input(self) -> Self::Output {
+            Ok(self.0) // $ fieldof=GenS type=Ok(...):Result type=Ok(...):T.Output type=Ok(...):E.Output
+        }
+    }
+
    pub fn f() {
        // Type can be inferred from the constructor
        let p1: MyPair = PairOption::PairBoth(S1, S2);
@@ -1062,6 +1079,8 @@ mod type_aliases {
        g(PairOption::PairSnd(PairOption::PairSnd(S3))); // $ target=g

        let x: S7<S2>; // $ type=x:Result $ type=x:E.S1 $ type=x:T.S4 $ type=x:T.T41.S2 $ type=x:T.T42.S5 $ type=x:T.T42.T5.S2
+
+        let y = GenS(true).get_input(); // $ type=y:Result type=y:T.bool type=y:E.bool target=get_input
    }
 }

@@ -2006,7 +2025,11 @@ mod method_determined_by_argument_type {

        // MyAdd<bool>::my_add
        fn my_add(self, value: bool) -> Self {
-            if value { 1 } else { 0 }
+            if value {
+                1
+            } else {
+                0
+            }
        }
    }

@@ -2057,7 +2080,11 @@ mod method_determined_by_argument_type {
    impl MyFrom<bool> for i64 {
        // MyFrom<bool>::my_from
        fn my_from(value: bool) -> Self {
-            if value { 1 } else { 0 }
+            if value {
+                1
+            } else {
+                0
+            }
        }
    }

@@ -2162,7 +2189,7 @@ mod loops {

        for i in [1, 2, 3] {} // $ type=i:i32
        for i in [1, 2, 3].map(|x| x + 1) {} // $ target=map MISSING: type=i:i32
-        for i in [1, 2, 3].into_iter() {} // $ target=into_iter MISSING: type=i:i32
+        for i in [1, 2, 3].into_iter() {} // $ target=into_iter type=i:i32

        let vals1 = [1u8, 2, 3]; // $ type=vals1:[T;...].u8
        for u in vals1 {} // $ type=u:u8
@@ -2407,7 +2434,7 @@ mod closures {
        Some(1).map(|x| {
            let x = x; // $ MISSING: type=x:i32
            println!("{x}");
-        });  // $ target=map
+        }); // $ target=map

        let table = Table::new(); // $ target=new type=table:Table
        let result = table.count_with(|row| // $ type=result:i64
--- a/rust/ql/test/library-tests/type-inference/type-inference.expected
+++ b/rust/ql/test/library-tests/type-inference/type-inference.expected
--- a/rust/ql/test/query-tests/security/CWE-798/CONSISTENCY/PathResolutionConsistency.expected
+++ b/rust/ql/test/query-tests/security/CWE-798/CONSISTENCY/PathResolutionConsistency.expected
@@ -0,0 +1,10 @@
+multipleCallTargets
+| test_cipher.rs:15:30:15:77 | ...::new(...) |
+| test_cipher.rs:19:30:19:80 | ...::new(...) |
+| test_cipher.rs:22:30:22:98 | ...::new(...) |
+| test_cipher.rs:26:30:26:101 | ...::new(...) |
+| test_cipher.rs:30:30:30:102 | ...::new(...) |
+| test_cipher.rs:38:30:38:81 | ...::new(...) |
+| test_cipher.rs:42:30:42:80 | ...::new(...) |
+| test_cipher.rs:47:30:47:85 | ...::new(...) |
+| test_cipher.rs:51:31:51:83 | ...::new(...) |
--- a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
+++ b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -0,0 +1,122 @@
+#select
+| test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:19:30:19:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:19:30:19:47 | ...::new | a key |
+| test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:19:30:19:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:19:30:19:47 | ...::new | a key |
+| test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:26:30:26:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:26:30:26:40 | ...::new | a key |
+| test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:26:30:26:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:26:30:26:40 | ...::new | a key |
+| test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:30:30:30:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:30:30:30:40 | ...::new | an initialization vector |
+| test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:30:30:30:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:30:30:30:40 | ...::new | an initialization vector |
+| test_cipher.rs:37:27:37:74 | [...] | test_cipher.rs:37:27:37:74 | [...] | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:27:37:74 | [...] | test_cipher.rs:37:27:37:74 | [...] | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:41:29:41:76 | [...] | test_cipher.rs:41:29:41:76 | [...] | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:29:41:76 | [...] | test_cipher.rs:41:29:41:76 | [...] | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
+| test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
+| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | a key |
+edges
+| test_cipher.rs:18:9:18:14 | const1 [&ref, element] | test_cipher.rs:19:73:19:78 | const1 [&ref, element] | provenance |  |
+| test_cipher.rs:18:28:18:36 | &... [&ref, element] | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | provenance |  |
+| test_cipher.rs:18:29:18:36 | [0u8; 16] [element] | test_cipher.rs:18:28:18:36 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:18:29:18:36 | [0u8; 16] [element] | provenance |  |
+| test_cipher.rs:19:49:19:79 | ...::from_slice(...) [&ref, element] | test_cipher.rs:19:30:19:47 | ...::new | provenance | MaD:2 Sink:MaD:2 Sink:MaD:2 |
+| test_cipher.rs:19:49:19:79 | ...::from_slice(...) [&ref, element] | test_cipher.rs:19:30:19:47 | ...::new | provenance | MaD:4 Sink:MaD:4 Sink:MaD:4 |
+| test_cipher.rs:19:73:19:78 | const1 [&ref, element] | test_cipher.rs:19:49:19:79 | ...::from_slice(...) [&ref, element] | provenance | MaD:7 |
+| test_cipher.rs:25:9:25:14 | const4 [&ref, element] | test_cipher.rs:26:66:26:71 | const4 [&ref, element] | provenance |  |
+| test_cipher.rs:25:28:25:36 | &... [&ref, element] | test_cipher.rs:25:9:25:14 | const4 [&ref, element] | provenance |  |
+| test_cipher.rs:25:29:25:36 | [0u8; 16] [element] | test_cipher.rs:25:28:25:36 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:25:29:25:36 | [0u8; 16] [element] | provenance |  |
+| test_cipher.rs:26:42:26:72 | ...::from_slice(...) [&ref, element] | test_cipher.rs:26:30:26:40 | ...::new | provenance | MaD:2 Sink:MaD:2 Sink:MaD:2 |
+| test_cipher.rs:26:42:26:72 | ...::from_slice(...) [&ref, element] | test_cipher.rs:26:30:26:40 | ...::new | provenance | MaD:4 Sink:MaD:4 Sink:MaD:4 |
+| test_cipher.rs:26:66:26:71 | const4 [&ref, element] | test_cipher.rs:26:42:26:72 | ...::from_slice(...) [&ref, element] | provenance | MaD:7 |
+| test_cipher.rs:29:9:29:14 | const5 [&ref, element] | test_cipher.rs:30:95:30:100 | const5 [&ref, element] | provenance |  |
+| test_cipher.rs:29:28:29:36 | &... [&ref, element] | test_cipher.rs:29:9:29:14 | const5 [&ref, element] | provenance |  |
+| test_cipher.rs:29:29:29:36 | [0u8; 16] [element] | test_cipher.rs:29:28:29:36 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:29:29:29:36 | [0u8; 16] [element] | provenance |  |
+| test_cipher.rs:30:72:30:101 | ...::from_slice(...) [&ref, element] | test_cipher.rs:30:30:30:40 | ...::new | provenance | MaD:3 Sink:MaD:3 Sink:MaD:3 |
+| test_cipher.rs:30:72:30:101 | ...::from_slice(...) [&ref, element] | test_cipher.rs:30:30:30:40 | ...::new | provenance | MaD:5 Sink:MaD:5 Sink:MaD:5 |
+| test_cipher.rs:30:95:30:100 | const5 [&ref, element] | test_cipher.rs:30:72:30:101 | ...::from_slice(...) [&ref, element] | provenance | MaD:7 |
+| test_cipher.rs:37:9:37:14 | const7 | test_cipher.rs:38:74:38:79 | const7 | provenance |  |
+| test_cipher.rs:37:27:37:74 | [...] | test_cipher.rs:37:9:37:14 | const7 | provenance |  |
+| test_cipher.rs:38:49:38:80 | ...::from_slice(...) [&ref] | test_cipher.rs:38:30:38:47 | ...::new | provenance | MaD:2 Sink:MaD:2 |
+| test_cipher.rs:38:49:38:80 | ...::from_slice(...) [&ref] | test_cipher.rs:38:30:38:47 | ...::new | provenance | MaD:4 Sink:MaD:4 |
+| test_cipher.rs:38:73:38:79 | &const7 [&ref] | test_cipher.rs:38:49:38:80 | ...::from_slice(...) [&ref] | provenance | MaD:7 |
+| test_cipher.rs:38:74:38:79 | const7 | test_cipher.rs:38:73:38:79 | &const7 [&ref] | provenance |  |
+| test_cipher.rs:41:9:41:14 | const8 [&ref] | test_cipher.rs:42:73:42:78 | const8 [&ref] | provenance |  |
+| test_cipher.rs:41:28:41:76 | &... [&ref] | test_cipher.rs:41:9:41:14 | const8 [&ref] | provenance |  |
+| test_cipher.rs:41:29:41:76 | [...] | test_cipher.rs:41:28:41:76 | &... [&ref] | provenance |  |
+| test_cipher.rs:42:49:42:79 | ...::from_slice(...) [&ref] | test_cipher.rs:42:30:42:47 | ...::new | provenance | MaD:2 Sink:MaD:2 |
+| test_cipher.rs:42:49:42:79 | ...::from_slice(...) [&ref] | test_cipher.rs:42:30:42:47 | ...::new | provenance | MaD:4 Sink:MaD:4 |
+| test_cipher.rs:42:73:42:78 | const8 [&ref] | test_cipher.rs:42:49:42:79 | ...::from_slice(...) [&ref] | provenance | MaD:7 |
+| test_cipher.rs:50:9:50:15 | const10 [element] | test_cipher.rs:51:75:51:81 | const10 [element] | provenance |  |
+| test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:54 | ...::zeroed(...) [element] | provenance | Src:MaD:6  |
+| test_cipher.rs:50:37:50:54 | ...::zeroed(...) [element] | test_cipher.rs:50:9:50:15 | const10 [element] | provenance |  |
+| test_cipher.rs:51:50:51:82 | ...::from_slice(...) [&ref, element] | test_cipher.rs:51:31:51:48 | ...::new | provenance | MaD:2 Sink:MaD:2 Sink:MaD:2 |
+| test_cipher.rs:51:50:51:82 | ...::from_slice(...) [&ref, element] | test_cipher.rs:51:31:51:48 | ...::new | provenance | MaD:4 Sink:MaD:4 Sink:MaD:4 |
+| test_cipher.rs:51:74:51:81 | &const10 [&ref, element] | test_cipher.rs:51:50:51:82 | ...::from_slice(...) [&ref, element] | provenance | MaD:7 |
+| test_cipher.rs:51:75:51:81 | const10 [element] | test_cipher.rs:51:74:51:81 | &const10 [&ref, element] | provenance |  |
+| test_cipher.rs:73:9:73:14 | const2 [&ref, element] | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | provenance |  |
+| test_cipher.rs:73:18:73:26 | &... [&ref, element] | test_cipher.rs:73:9:73:14 | const2 [&ref, element] | provenance |  |
+| test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | test_cipher.rs:73:18:73:26 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | provenance |  |
+| test_cipher.rs:74:46:74:51 | const2 [&ref, element] | test_cipher.rs:74:23:74:44 | ...::new_from_slice | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+models
+| 1 | Sink: <_ as crypto_common::KeyInit>::new_from_slice; Argument[0]; credentials-key |
+| 2 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new; Argument[0]; credentials-key |
+| 3 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new; Argument[1]; credentials-iv |
+| 4 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new; Argument[0]; credentials-key |
+| 5 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new; Argument[1]; credentials-iv |
+| 6 | Source: core::mem::zeroed; ReturnValue.Element; constant-source |
+| 7 | Summary: <generic_array::GenericArray>::from_slice; Argument[0].Reference; ReturnValue.Reference; value |
+nodes
+| test_cipher.rs:18:9:18:14 | const1 [&ref, element] | semmle.label | const1 [&ref, element] |
+| test_cipher.rs:18:28:18:36 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:18:29:18:36 | [0u8; 16] [element] | semmle.label | [0u8; 16] [element] |
+| test_cipher.rs:18:30:18:32 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:19:30:19:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:19:30:19:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:19:49:19:79 | ...::from_slice(...) [&ref, element] | semmle.label | ...::from_slice(...) [&ref, element] |
+| test_cipher.rs:19:73:19:78 | const1 [&ref, element] | semmle.label | const1 [&ref, element] |
+| test_cipher.rs:25:9:25:14 | const4 [&ref, element] | semmle.label | const4 [&ref, element] |
+| test_cipher.rs:25:28:25:36 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:25:29:25:36 | [0u8; 16] [element] | semmle.label | [0u8; 16] [element] |
+| test_cipher.rs:25:30:25:32 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:26:30:26:40 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:26:30:26:40 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:26:42:26:72 | ...::from_slice(...) [&ref, element] | semmle.label | ...::from_slice(...) [&ref, element] |
+| test_cipher.rs:26:66:26:71 | const4 [&ref, element] | semmle.label | const4 [&ref, element] |
+| test_cipher.rs:29:9:29:14 | const5 [&ref, element] | semmle.label | const5 [&ref, element] |
+| test_cipher.rs:29:28:29:36 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:29:29:29:36 | [0u8; 16] [element] | semmle.label | [0u8; 16] [element] |
+| test_cipher.rs:29:30:29:32 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:30:30:30:40 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:30:30:30:40 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:30:72:30:101 | ...::from_slice(...) [&ref, element] | semmle.label | ...::from_slice(...) [&ref, element] |
+| test_cipher.rs:30:95:30:100 | const5 [&ref, element] | semmle.label | const5 [&ref, element] |
+| test_cipher.rs:37:9:37:14 | const7 | semmle.label | const7 |
+| test_cipher.rs:37:27:37:74 | [...] | semmle.label | [...] |
+| test_cipher.rs:38:30:38:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:38:30:38:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:38:49:38:80 | ...::from_slice(...) [&ref] | semmle.label | ...::from_slice(...) [&ref] |
+| test_cipher.rs:38:73:38:79 | &const7 [&ref] | semmle.label | &const7 [&ref] |
+| test_cipher.rs:38:74:38:79 | const7 | semmle.label | const7 |
+| test_cipher.rs:41:9:41:14 | const8 [&ref] | semmle.label | const8 [&ref] |
+| test_cipher.rs:41:28:41:76 | &... [&ref] | semmle.label | &... [&ref] |
+| test_cipher.rs:41:29:41:76 | [...] | semmle.label | [...] |
+| test_cipher.rs:42:30:42:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:42:30:42:47 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:42:49:42:79 | ...::from_slice(...) [&ref] | semmle.label | ...::from_slice(...) [&ref] |
+| test_cipher.rs:42:73:42:78 | const8 [&ref] | semmle.label | const8 [&ref] |
+| test_cipher.rs:50:9:50:15 | const10 [element] | semmle.label | const10 [element] |
+| test_cipher.rs:50:37:50:52 | ...::zeroed | semmle.label | ...::zeroed |
+| test_cipher.rs:50:37:50:54 | ...::zeroed(...) [element] | semmle.label | ...::zeroed(...) [element] |
+| test_cipher.rs:51:31:51:48 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:51:31:51:48 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:51:50:51:82 | ...::from_slice(...) [&ref, element] | semmle.label | ...::from_slice(...) [&ref, element] |
+| test_cipher.rs:51:74:51:81 | &const10 [&ref, element] | semmle.label | &const10 [&ref, element] |
+| test_cipher.rs:51:75:51:81 | const10 [element] | semmle.label | const10 [element] |
+| test_cipher.rs:73:9:73:14 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+| test_cipher.rs:73:18:73:26 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | semmle.label | [0u8; 32] [element] |
+| test_cipher.rs:73:20:73:22 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:74:23:74:44 | ...::new_from_slice | semmle.label | ...::new_from_slice |
+| test_cipher.rs:74:46:74:51 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+subpaths
--- a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.qlref
+++ b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.qlref
@@ -0,0 +1,4 @@
+query: queries/security/CWE-798/HardcodedCryptographicValue.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
--- a/rust/ql/test/query-tests/security/CWE-798/options.yml
+++ b/rust/ql/test/query-tests/security/CWE-798/options.yml
@@ -0,0 +1,10 @@
+qltest_cargo_check: true
+qltest_dependencies:
+    - cipher = { version = "0.4.4" }
+    - rabbit = { version = "0.4.1" }
+    - aes = { version = "0.8.4" }
+    - aes-gcm = { version = "0.10.3" }
+    - cfb-mode = { version = "0.8.2" }
+    - base64 = { version = "0.22.1" }
+    - getrandom = { version = "0.3.1" }
+    - getrandom2 = { package = "getrandom", version = "0.2.15" }
--- a/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
@@ -0,0 +1,147 @@
+
+use cipher::{consts::*, StreamCipher, AsyncStreamCipher, KeyInit, KeyIvInit, BlockEncrypt};
+use rabbit::{Rabbit, RabbitKeyOnly};
+use aes::Aes256;
+
+// --- tests ---
+
+fn test_stream_cipher_rabbit(
+    key: &[u8;16], iv: &[u8;16], plaintext: &str
+) {
+    let mut data = plaintext.as_bytes().to_vec();
+
+    // rabbit
+
+    let mut rabbit_cipher1 = RabbitKeyOnly::new(rabbit::Key::from_slice(key));
+    rabbit_cipher1.apply_keystream(&mut data);
+
+    let const1: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher2 = RabbitKeyOnly::new(rabbit::Key::from_slice(const1)); // $ Sink
+    rabbit_cipher2.apply_keystream(&mut data);
+
+    let mut rabbit_cipher3 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(iv));
+    rabbit_cipher3.apply_keystream(&mut data);
+
+    let const4: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher4 = Rabbit::new(rabbit::Key::from_slice(const4), rabbit::Iv::from_slice(iv)); // $ Sink
+    rabbit_cipher4.apply_keystream(&mut data);
+
+    let const5: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher5 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(const5)); // $ Sink
+    rabbit_cipher5.apply_keystream(&mut data);
+
+    // various expressions of constant arrays
+
+    let const6: &[u8;16] = &[0u8;16]; // (unused, so good)
+
+    let const7: [u8;16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher7 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const7)); // $ Sink
+    rabbit_cipher7.apply_keystream(&mut data);
+
+    let const8: &[u8;16] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher8 = RabbitKeyOnly::new(rabbit::Key::from_slice(const8)); // $ Sink
+    rabbit_cipher8.apply_keystream(&mut data);
+
+    let const9: [u16;8] = [0, 0, 0, 0, 0, 0, 0, 0]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let const9_conv = unsafe { const9.align_to::<u8>().1 }; // convert [u16;8] -> [u8;8]
+    let mut rabbit_cipher9 = RabbitKeyOnly::new(rabbit::Key::from_slice(const9_conv)); // $ MISSING: Sink
+    rabbit_cipher9.apply_keystream(&mut data);
+
+    let const10: [u8;16] = unsafe { std::mem::zeroed() }; // $ Alert[rust/hard-coded-cryptographic-value]
+    let mut rabbit_cipher10 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const10)); // $ Sink
+    rabbit_cipher10.apply_keystream(&mut data);
+}
+
+use base64::Engine;
+
+fn test_block_cipher_aes(
+    key: &[u8], iv: &[u8], key256: &[u8;32], key_str: &str,
+    block128: &mut [u8;16], input: &[u8], output: &mut [u8]
+) {
+    // aes
+
+    let aes_cipher1 = Aes256::new(key256.into());
+    aes_cipher1.encrypt_block(block128.into());
+
+    let const2 = &[0u8;32]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let aes_cipher2 = Aes256::new(const2.into()); // $ MISSING: Sink
+    aes_cipher2.encrypt_block(block128.into());
+
+    let aes_cipher3 = Aes256::new_from_slice(key256).unwrap();
+    aes_cipher3.encrypt_block(block128.into());
+
+    let const2 = &[0u8;32]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let aes_cipher4 = Aes256::new_from_slice(const2).unwrap(); // $ Sink
+    aes_cipher4.encrypt_block(block128.into());
+
+    let aes_cipher5 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), iv.into());
+    _ = aes_cipher5.encrypt_b2b(input, output).unwrap();
+
+    let const6 = &[0u8;32]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let aes_cipher6 = cfb_mode::Encryptor::<aes::Aes256>::new(const6.into(), iv.into()); // $ MISSING: Sink
+    _ = aes_cipher6.encrypt_b2b(input, output).unwrap();
+
+    let const7 = &[0u8; 16]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let aes_cipher7 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), const7.into()); // $ MISSING: Sink
+    _ = aes_cipher7.encrypt_b2b(input, output).unwrap();
+
+    // various string conversions
+
+    let key8: &[u8] = key_str.as_bytes();
+    let aes_cipher8 = cfb_mode::Encryptor::<aes::Aes256>::new(key8.into(), iv.into());
+    _ = aes_cipher8.encrypt_b2b(input, output).unwrap();
+
+    let key9: &[u8] = "1234567890123456".as_bytes(); // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let aes_cipher9 = cfb_mode::Encryptor::<aes::Aes256>::new(key9.into(), iv.into());
+    _ = aes_cipher9.encrypt_b2b(input, output).unwrap();
+
+    let key10: [u8; 32] = match base64::engine::general_purpose::STANDARD.decode(key_str) {
+        Ok(x) => x.try_into().unwrap(),
+        Err(_) => "1234567890123456".as_bytes().try_into().unwrap() // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    };
+    let aes_cipher10 = Aes256::new(&key10.into());
+    aes_cipher10.encrypt_block(block128.into());
+
+    if let Ok(const11) = base64::engine::general_purpose::STANDARD.decode("1234567890123456") { // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+        let key11: [u8; 32] = const11.try_into().unwrap();
+        let aes_cipher11 = Aes256::new(&key11.into());
+        aes_cipher11.encrypt_block(block128.into());
+    }
+}
+
+use aes_gcm::aead::{Aead, AeadCore, OsRng};
+use aes_gcm::{Aes256Gcm, Key, Nonce};
+
+fn test_aes_gcm(
+) {
+    // aes (GCM)
+
+    let key1 = Aes256Gcm::generate_key(aes_gcm::aead::OsRng);
+    let nonce1 = Aes256Gcm::generate_nonce(aes_gcm::aead::OsRng);
+    let cipher1 = Aes256Gcm::new(&key1);
+    let _ = cipher1.encrypt(&nonce1, b"plaintext".as_ref()).unwrap();
+
+    let key2: [u8;32] = [0;32]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let nonce2 = [0;12]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let cipher2 = Aes256Gcm::new(&key2.into()); // $ MISSING: Sink
+    let _ = cipher2.encrypt(&nonce2.into(), b"plaintext".as_ref()).unwrap(); // $ MISSING: Sink
+
+    let key3_array: &[u8;32] = &[0xff;32]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let key3 = Key::<Aes256Gcm>::from_slice(key3_array);
+    let nonce3: [u8;12] = [0xff;12]; // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
+    let cipher3 = Aes256Gcm::new(&key3); // $ MISSING: Sink
+    let _ = cipher3.encrypt(&nonce3.into(), b"plaintext".as_ref()).unwrap(); // $ MISSING: Sink
+
+    // with barrier
+
+    let mut key4 = [0u8;32];
+    let mut nonce4 = [0u8;12];
+    _ = getrandom::fill(&mut key4).unwrap();
+    _ = getrandom2::getrandom(&mut nonce4).unwrap();
+    let cipher4 = Aes256Gcm::new(&key4.into());
+    let _ = cipher4.encrypt(&nonce4.into(), b"plaintext".as_ref()).unwrap();
+
+    let mut key5 = [0u8;32];
+    _ = getrandom::fill(&mut key5).unwrap();
+    let _ = Aes256::new_from_slice(&key5).unwrap();
+}