diff --git a/java/ql/lib/ext/com.couchbase.client.core.env.model.yml b/java/ql/lib/ext/com.couchbase.client.core.env.model.yml
index 8222b8e88cd..09179f7589b 100644
--- a/java/ql/lib/ext/com.couchbase.client.core.env.model.yml
+++ b/java/ql/lib/ext/com.couchbase.client.core.env.model.yml
@@ -3,10 +3,26 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"]
+      # 'credentials-password' sinks
       - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
-      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional<String>)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional)", "", "Argument[1]", "credentials-password", "manual"]
       - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
-      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
-      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier<String>)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
       - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
+      # 'credentials-username' sinks
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.couchbase.client.core.env", "UsernameAndPassword", true, "UsernameAndPassword", "(String,String)", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]
diff --git a/java/ql/lib/ext/com.couchbase.client.java.model.yml b/java/ql/lib/ext/com.couchbase.client.java.model.yml
index 1c64294dc55..2a821e9f11a 100644
--- a/java/ql/lib/ext/com.couchbase.client.java.model.yml
+++ b/java/ql/lib/ext/com.couchbase.client.java.model.yml
@@ -3,42 +3,26 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
-      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      # 'credentials-username' sinks
       - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      # 'credentials-password' sinks
       - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      # 'sql-injection' sinks
       - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object,UpsertOptions)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object,ReplaceOptions)", "", "Argument[1]", "sql-injection", "manual"]
 
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
     data:
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[0]", "ReturnValue.MapKey", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[1]", "ReturnValue.MapValue", "taint", "manual"]
       - ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
index f46ff80ba52..decbd174783 100644
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
@@ -1,35 +1,53 @@
 import static com.couchbase.client.java.ClusterOptions.clusterOptions;
 
-import com.couchbase.client.core.env.Authenticator;
 import com.couchbase.client.core.env.CertificateAuthenticator;
 import com.couchbase.client.core.env.PasswordAuthenticator;
+import com.couchbase.client.core.env.UsernameAndPassword;
 import com.couchbase.client.java.Cluster;
+import java.util.function.Supplier;
 
 public class HardcodedCouchBaseCredentials {
   public static void test() {
-    Cluster cluster1 =
-        Cluster.connect(
-            "127.0.0.1",
-            "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-    Cluster cluster2 =
-        Cluster.connect(
-            "127.0.0.1",
-            clusterOptions(
-                "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-                "password")); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-    PasswordAuthenticator authenticator1 =
-        PasswordAuthenticator.builder()
-            .username(
-                "Administrator") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            .password("password") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            .onlyEnablePlainSaslMechanism()
-            .build();
+    // com.couchbase.client.core.env.CertificateAuthenticator sinks
+    CertificateAuthenticator.fromKey(null, "keyPassword", null); // $ HardcodedCredentialsApiCall
+    CertificateAuthenticator.fromKeyStore(
+        null, "keyStorePassword", null); // $ HardcodedCredentialsApiCall
+    CertificateAuthenticator.fromKeyStore(
+        null, "keyStorePassword"); // $ HardcodedCredentialsApiCall
 
-    Authenticator authenticator2 =
-        CertificateAuthenticator.fromKeyStore(
-            null,
-            "keyStorePassword"); // $ HardcodedCredentialsApiCall
-    Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator2));
+    // com.couchbase.client.core.env.PasswordAuthenticator sinks
+    PasswordAuthenticator.create(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.ldapCompatible(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+
+    // com.couchbase.client.core.env.PasswordAuthenticator$Builder sinks
+    PasswordAuthenticator.builder(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.builder()
+        .username("Administrator") // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        .password("password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.builder((Supplier<UsernameAndPassword>) new UsernameAndPassword(
+                "Administrator", // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
+                "password")); // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
+    PasswordAuthenticator.builder()
+        .username((Supplier<String>) () -> {return "Administrator";}) // $ MISSING: HardcodedCredentialsApiCall
+        .password((Supplier<String>) () -> {return "password";}); // $ MISSING: HardcodedCredentialsApiCall
+
+    // com.couchbase.client.java.Cluster sinks
+    Cluster.connect(
+        "127.0.0.1",
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+
+    // com.couchbase.client.java.ClusterOptions sinks
+    Cluster.connect(
+        "127.0.0.1",
+        clusterOptions(
+            "Administrator", // $ HardcodedCredentialsApiCall
+            "password")); // $ HardcodedCredentialsApiCall
   }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java
index ec37e812463..f5faca54ad3 100644
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java
@@ -23,6 +23,14 @@ public class PasswordAuthenticator implements Authenticator {
     return null;
   }
 
+  public static PasswordAuthenticator.Builder builder(String username, String password) {
+    return null;
+  }
+
+  public static PasswordAuthenticator.Builder builder(Supplier<UsernameAndPassword> supplier) {
+    return null;
+  }
+
   public static PasswordAuthenticator create(final String username, final String password) {
     return null;
   }
@@ -46,7 +54,6 @@ public class PasswordAuthenticator implements Authenticator {
     }
 
     public Builder password(final String password) {
-
       return null;
     }
 
@@ -54,11 +61,11 @@ public class PasswordAuthenticator implements Authenticator {
       return null;
     }
 
-    public Builder onlyEnablePlainSaslMechanism() {
+    public static PasswordAuthenticator builder(String username, String password) {
       return null;
     }
 
-    public PasswordAuthenticator build() {
+    public static PasswordAuthenticator builder(Supplier<UsernameAndPassword> supplier) {
       return null;
     }
   }
diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java
index 72d3ba0647b..5853a667331 100644
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java
@@ -16,4 +16,6 @@
 
 package com.couchbase.client.core.env;
 
-public class UsernameAndPassword {}
\ No newline at end of file
+public class UsernameAndPassword {
+  public UsernameAndPassword(String username, String password) {}
+}
\ No newline at end of file