From f3d78a4e0bcc60bcd11199bc6357d83379851872 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 8 Jan 2026 21:09:55 +0100
Subject: [PATCH] Rust: Update expected test output

---
 .../dataflow/sources/net/InlineFlow.expected  |  68 +++++++----
 .../dataflow/sources/net/test.rs              |   6 +-
 .../security/CWE-117/LogInjection.expected    | 114 ++++++++++++++++--
 .../test/query-tests/security/CWE-117/main.rs |  16 +--
 .../CWE-295/DisabledCertificateCheck.expected |  46 +++++--
 .../test/query-tests/security/CWE-295/main.rs |   4 +-
 6 files changed, 198 insertions(+), 56 deletions(-)

diff --git a/rust/ql/test/library-tests/dataflow/sources/net/InlineFlow.expected b/rust/ql/test/library-tests/dataflow/sources/net/InlineFlow.expected
index d9f811bd341..31a41522450 100644
--- a/rust/ql/test/library-tests/dataflow/sources/net/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/net/InlineFlow.expected
@@ -28,46 +28,49 @@ models
 | 27 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
 | 28 | Summary: <futures_rustls::TlsConnector>::connect; Argument[1]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
 | 29 | Summary: <futures_util::io::buf_reader::BufReader>::new; Argument[0]; ReturnValue; taint |
-| 30 | Summary: <reqwest::async_impl::response::Response>::bytes; Argument[self]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
-| 31 | Summary: <reqwest::async_impl::response::Response>::chunk; Argument[self].Reference; ReturnValue.Future.Field[core::result::Result::Ok(0)].Field[core::option::Option::Some(0)]; taint |
-| 32 | Summary: <reqwest::async_impl::response::Response>::text; Argument[self]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
-| 33 | Summary: <reqwest::blocking::response::Response>::bytes; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
-| 34 | Summary: <reqwest::blocking::response::Response>::text; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
-| 35 | Summary: <reqwest::blocking::response::Response>::text_with_charset; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
-| 36 | Summary: <std::io::buffered::bufreader::BufReader>::new; Argument[0]; ReturnValue; taint |
-| 37 | Summary: <tokio::net::tcp::stream::TcpStream>::peek; Argument[self].Reference; Argument[0].Reference; taint |
-| 38 | Summary: <tokio::net::tcp::stream::TcpStream>::try_read; Argument[self].Reference; Argument[0].Reference; taint |
-| 39 | Summary: <tokio::net::tcp::stream::TcpStream>::try_read_buf; Argument[self].Reference; Argument[0].Reference; taint |
+| 30 | Summary: <http::response::Response>::body; Argument[self].Reference.Field[http::response::Response::body]; ReturnValue.Reference; value |
+| 31 | Summary: <http::response::Response>::body_mut; Argument[self].Reference.Field[http::response::Response::body]; ReturnValue.Reference; value |
+| 32 | Summary: <http::response::Response>::into_body; Argument[self].Field[http::response::Response::body]; ReturnValue; value |
+| 33 | Summary: <reqwest::async_impl::response::Response>::bytes; Argument[self]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
+| 34 | Summary: <reqwest::async_impl::response::Response>::chunk; Argument[self].Reference; ReturnValue.Future.Field[core::result::Result::Ok(0)].Field[core::option::Option::Some(0)]; taint |
+| 35 | Summary: <reqwest::async_impl::response::Response>::text; Argument[self]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
+| 36 | Summary: <reqwest::blocking::response::Response>::bytes; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 37 | Summary: <reqwest::blocking::response::Response>::text; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 38 | Summary: <reqwest::blocking::response::Response>::text_with_charset; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 39 | Summary: <std::io::buffered::bufreader::BufReader>::new; Argument[0]; ReturnValue; taint |
+| 40 | Summary: <tokio::net::tcp::stream::TcpStream>::peek; Argument[self].Reference; Argument[0].Reference; taint |
+| 41 | Summary: <tokio::net::tcp::stream::TcpStream>::try_read; Argument[self].Reference; Argument[0].Reference; taint |
+| 42 | Summary: <tokio::net::tcp::stream::TcpStream>::try_read_buf; Argument[self].Reference; Argument[0].Reference; taint |
 edges
 | test.rs:11:9:11:22 | remote_string1 | test.rs:12:10:12:23 | remote_string1 | provenance |  |
 | test.rs:11:26:11:47 | ...::get | test.rs:11:26:11:62 | ...::get(...) [Ok] | provenance | Src:MaD:7  |
 | test.rs:11:26:11:62 | ...::get(...) [Ok] | test.rs:11:26:11:63 | TryExpr | provenance |  |
-| test.rs:11:26:11:63 | TryExpr | test.rs:11:26:11:70 | ... .text() [Ok] | provenance | MaD:34 |
+| test.rs:11:26:11:63 | TryExpr | test.rs:11:26:11:70 | ... .text() [Ok] | provenance | MaD:37 |
 | test.rs:11:26:11:70 | ... .text() [Ok] | test.rs:11:26:11:71 | TryExpr | provenance |  |
 | test.rs:11:26:11:71 | TryExpr | test.rs:11:9:11:22 | remote_string1 | provenance |  |
 | test.rs:14:9:14:22 | remote_string2 | test.rs:15:10:15:23 | remote_string2 | provenance |  |
 | test.rs:14:26:14:47 | ...::get | test.rs:14:26:14:62 | ...::get(...) [Ok] | provenance | Src:MaD:7  |
 | test.rs:14:26:14:62 | ...::get(...) [Ok] | test.rs:14:26:14:71 | ... .unwrap() | provenance | MaD:27 |
-| test.rs:14:26:14:71 | ... .unwrap() | test.rs:14:26:14:78 | ... .text() [Ok] | provenance | MaD:34 |
+| test.rs:14:26:14:71 | ... .unwrap() | test.rs:14:26:14:78 | ... .text() [Ok] | provenance | MaD:37 |
 | test.rs:14:26:14:78 | ... .text() [Ok] | test.rs:14:26:14:87 | ... .unwrap() | provenance | MaD:27 |
 | test.rs:14:26:14:87 | ... .unwrap() | test.rs:14:9:14:22 | remote_string2 | provenance |  |
 | test.rs:17:9:17:22 | remote_string3 | test.rs:18:10:18:23 | remote_string3 | provenance |  |
 | test.rs:17:26:17:47 | ...::get | test.rs:17:26:17:62 | ...::get(...) [Ok] | provenance | Src:MaD:7  |
 | test.rs:17:26:17:62 | ...::get(...) [Ok] | test.rs:17:26:17:71 | ... .unwrap() | provenance | MaD:27 |
-| test.rs:17:26:17:71 | ... .unwrap() | test.rs:17:26:17:98 | ... .text_with_charset(...) [Ok] | provenance | MaD:35 |
+| test.rs:17:26:17:71 | ... .unwrap() | test.rs:17:26:17:98 | ... .text_with_charset(...) [Ok] | provenance | MaD:38 |
 | test.rs:17:26:17:98 | ... .text_with_charset(...) [Ok] | test.rs:17:26:17:107 | ... .unwrap() | provenance | MaD:27 |
 | test.rs:17:26:17:107 | ... .unwrap() | test.rs:17:9:17:22 | remote_string3 | provenance |  |
 | test.rs:20:9:20:22 | remote_string4 | test.rs:21:10:21:23 | remote_string4 | provenance |  |
 | test.rs:20:26:20:47 | ...::get | test.rs:20:26:20:62 | ...::get(...) [Ok] | provenance | Src:MaD:7  |
 | test.rs:20:26:20:62 | ...::get(...) [Ok] | test.rs:20:26:20:71 | ... .unwrap() | provenance | MaD:27 |
-| test.rs:20:26:20:71 | ... .unwrap() | test.rs:20:26:20:79 | ... .bytes() [Ok] | provenance | MaD:33 |
+| test.rs:20:26:20:71 | ... .unwrap() | test.rs:20:26:20:79 | ... .bytes() [Ok] | provenance | MaD:36 |
 | test.rs:20:26:20:79 | ... .bytes() [Ok] | test.rs:20:26:20:88 | ... .unwrap() | provenance | MaD:27 |
 | test.rs:20:26:20:88 | ... .unwrap() | test.rs:20:9:20:22 | remote_string4 | provenance |  |
 | test.rs:23:9:23:22 | remote_string5 | test.rs:24:10:24:23 | remote_string5 | provenance |  |
 | test.rs:23:26:23:37 | ...::get | test.rs:23:26:23:52 | ...::get(...) [future, Ok] | provenance | Src:MaD:8  |
 | test.rs:23:26:23:52 | ...::get(...) [future, Ok] | test.rs:23:26:23:58 | await ... [Ok] | provenance |  |
 | test.rs:23:26:23:58 | await ... [Ok] | test.rs:23:26:23:59 | TryExpr | provenance |  |
-| test.rs:23:26:23:59 | TryExpr | test.rs:23:26:23:66 | ... .text() [future, Ok] | provenance | MaD:32 |
+| test.rs:23:26:23:59 | TryExpr | test.rs:23:26:23:66 | ... .text() [future, Ok] | provenance | MaD:35 |
 | test.rs:23:26:23:66 | ... .text() [future, Ok] | test.rs:23:26:23:72 | await ... [Ok] | provenance |  |
 | test.rs:23:26:23:72 | await ... [Ok] | test.rs:23:26:23:73 | TryExpr | provenance |  |
 | test.rs:23:26:23:73 | TryExpr | test.rs:23:9:23:22 | remote_string5 | provenance |  |
@@ -75,7 +78,7 @@ edges
 | test.rs:26:26:26:37 | ...::get | test.rs:26:26:26:52 | ...::get(...) [future, Ok] | provenance | Src:MaD:8  |
 | test.rs:26:26:26:52 | ...::get(...) [future, Ok] | test.rs:26:26:26:58 | await ... [Ok] | provenance |  |
 | test.rs:26:26:26:58 | await ... [Ok] | test.rs:26:26:26:59 | TryExpr | provenance |  |
-| test.rs:26:26:26:59 | TryExpr | test.rs:26:26:26:67 | ... .bytes() [future, Ok] | provenance | MaD:30 |
+| test.rs:26:26:26:59 | TryExpr | test.rs:26:26:26:67 | ... .bytes() [future, Ok] | provenance | MaD:33 |
 | test.rs:26:26:26:67 | ... .bytes() [future, Ok] | test.rs:26:26:26:73 | await ... [Ok] | provenance |  |
 | test.rs:26:26:26:73 | await ... [Ok] | test.rs:26:26:26:74 | TryExpr | provenance |  |
 | test.rs:26:26:26:74 | TryExpr | test.rs:26:9:26:22 | remote_string6 | provenance |  |
@@ -85,13 +88,13 @@ edges
 | test.rs:29:24:29:50 | ...::get(...) [future, Ok] | test.rs:29:24:29:56 | await ... [Ok] | provenance |  |
 | test.rs:29:24:29:56 | await ... [Ok] | test.rs:29:24:29:57 | TryExpr | provenance |  |
 | test.rs:29:24:29:57 | TryExpr | test.rs:29:9:29:20 | mut request1 | provenance |  |
-| test.rs:30:10:30:17 | request1 | test.rs:30:10:30:25 | request1.chunk() [future, Ok, Some] | provenance | MaD:31 |
+| test.rs:30:10:30:17 | request1 | test.rs:30:10:30:25 | request1.chunk() [future, Ok, Some] | provenance | MaD:34 |
 | test.rs:30:10:30:25 | request1.chunk() [future, Ok, Some] | test.rs:30:10:30:31 | await ... [Ok, Some] | provenance |  |
 | test.rs:30:10:30:31 | await ... [Ok, Some] | test.rs:30:10:30:32 | TryExpr [Some] | provenance |  |
 | test.rs:30:10:30:32 | TryExpr [Some] | test.rs:30:10:30:41 | ... .unwrap() | provenance | MaD:24 |
 | test.rs:31:15:31:25 | Some(...) [Some] | test.rs:31:20:31:24 | chunk | provenance |  |
 | test.rs:31:20:31:24 | chunk | test.rs:32:14:32:18 | chunk | provenance |  |
-| test.rs:31:29:31:36 | request1 | test.rs:31:29:31:44 | request1.chunk() [future, Ok, Some] | provenance | MaD:31 |
+| test.rs:31:29:31:36 | request1 | test.rs:31:29:31:44 | request1.chunk() [future, Ok, Some] | provenance | MaD:34 |
 | test.rs:31:29:31:44 | request1.chunk() [future, Ok, Some] | test.rs:31:29:31:50 | await ... [Ok, Some] | provenance |  |
 | test.rs:31:29:31:50 | await ... [Ok, Some] | test.rs:31:29:31:51 | TryExpr [Some] | provenance |  |
 | test.rs:31:29:31:51 | TryExpr [Some] | test.rs:31:15:31:25 | Some(...) [Some] | provenance |  |
@@ -103,11 +106,20 @@ edges
 | test.rs:60:31:60:42 | send_request | test.rs:60:24:60:51 | sender.send_request(...) [future, Ok] | provenance | Src:MaD:2  |
 | test.rs:61:15:61:22 | response | test.rs:61:14:61:22 | &response | provenance |  |
 | test.rs:67:9:67:20 | mut response | test.rs:68:11:68:18 | response | provenance |  |
+| test.rs:67:9:67:20 | mut response | test.rs:76:18:76:25 | response | provenance |  |
+| test.rs:67:9:67:20 | mut response | test.rs:77:18:77:25 | response | provenance |  |
+| test.rs:67:9:67:20 | mut response | test.rs:79:24:79:31 | response | provenance |  |
 | test.rs:67:24:67:51 | sender.send_request(...) [future, Ok] | test.rs:67:24:67:57 | await ... [Ok] | provenance |  |
 | test.rs:67:24:67:57 | await ... [Ok] | test.rs:67:24:67:58 | TryExpr | provenance |  |
 | test.rs:67:24:67:58 | TryExpr | test.rs:67:9:67:20 | mut response | provenance |  |
 | test.rs:67:31:67:42 | send_request | test.rs:67:24:67:51 | sender.send_request(...) [future, Ok] | provenance | Src:MaD:2  |
 | test.rs:68:11:68:18 | response | test.rs:68:10:68:18 | &response | provenance |  |
+| test.rs:76:18:76:25 | response | test.rs:76:18:76:32 | response.body() | provenance | MaD:30 |
+| test.rs:77:18:77:25 | response | test.rs:77:18:77:36 | response.body_mut() | provenance | MaD:31 |
+| test.rs:79:17:79:20 | body | test.rs:80:19:80:22 | body | provenance |  |
+| test.rs:79:24:79:31 | response | test.rs:79:24:79:43 | response.into_body() | provenance | MaD:32 |
+| test.rs:79:24:79:43 | response.into_body() | test.rs:79:17:79:20 | body | provenance |  |
+| test.rs:80:19:80:22 | body | test.rs:80:18:80:22 | &body | provenance |  |
 | test.rs:155:13:155:22 | mut stream | test.rs:162:17:162:22 | stream | provenance |  |
 | test.rs:155:26:155:53 | ...::connect | test.rs:155:26:155:62 | ...::connect(...) [Ok] | provenance | Src:MaD:4  |
 | test.rs:155:26:155:62 | ...::connect(...) [Ok] | test.rs:155:26:155:63 | TryExpr | provenance |  |
@@ -125,7 +137,7 @@ edges
 | test.rs:182:21:182:30 | mut reader | test.rs:185:27:185:32 | reader | provenance |  |
 | test.rs:182:34:182:64 | ...::new(...) | test.rs:182:34:182:74 | ... .take(...) | provenance | MaD:22 |
 | test.rs:182:34:182:74 | ... .take(...) | test.rs:182:21:182:30 | mut reader | provenance |  |
-| test.rs:182:58:182:63 | stream | test.rs:182:34:182:64 | ...::new(...) | provenance | MaD:36 |
+| test.rs:182:58:182:63 | stream | test.rs:182:34:182:64 | ...::new(...) | provenance | MaD:39 |
 | test.rs:185:27:185:32 | reader | test.rs:185:44:185:52 | [post] &mut line [&ref] | provenance | MaD:18 |
 | test.rs:185:44:185:52 | [post] &mut line [&ref] | test.rs:185:49:185:52 | [post] line | provenance |  |
 | test.rs:185:49:185:52 | [post] line | test.rs:192:35:192:38 | line | provenance |  |
@@ -138,7 +150,7 @@ edges
 | test.rs:224:28:224:66 | ...::connect(...) [future, Ok] | test.rs:224:28:224:72 | await ... [Ok] | provenance |  |
 | test.rs:224:28:224:72 | await ... [Ok] | test.rs:224:28:224:73 | TryExpr | provenance |  |
 | test.rs:224:28:224:73 | TryExpr | test.rs:224:9:224:24 | mut tokio_stream | provenance |  |
-| test.rs:232:17:232:28 | tokio_stream | test.rs:232:35:232:46 | [post] &mut buffer1 [&ref] | provenance | MaD:37 |
+| test.rs:232:17:232:28 | tokio_stream | test.rs:232:35:232:46 | [post] &mut buffer1 [&ref] | provenance | MaD:40 |
 | test.rs:232:35:232:46 | [post] &mut buffer1 [&ref] | test.rs:232:40:232:46 | [post] buffer1 | provenance |  |
 | test.rs:232:40:232:46 | [post] buffer1 | test.rs:239:15:239:21 | buffer1 | provenance |  |
 | test.rs:232:40:232:46 | [post] buffer1 | test.rs:240:14:240:20 | buffer1 | provenance |  |
@@ -150,11 +162,11 @@ edges
 | test.rs:240:14:240:20 | buffer1 | test.rs:240:14:240:23 | buffer1[0] | provenance | MaD:10 |
 | test.rs:243:15:243:21 | buffer2 | test.rs:243:14:243:21 | &buffer2 | provenance |  |
 | test.rs:244:14:244:20 | buffer2 | test.rs:244:14:244:23 | buffer2[0] | provenance | MaD:10 |
-| test.rs:252:19:252:30 | tokio_stream | test.rs:252:41:252:51 | [post] &mut buffer [&ref] | provenance | MaD:38 |
+| test.rs:252:19:252:30 | tokio_stream | test.rs:252:41:252:51 | [post] &mut buffer [&ref] | provenance | MaD:41 |
 | test.rs:252:41:252:51 | [post] &mut buffer [&ref] | test.rs:252:46:252:51 | [post] buffer | provenance |  |
 | test.rs:252:46:252:51 | [post] buffer | test.rs:259:27:259:32 | buffer | provenance |  |
 | test.rs:259:27:259:32 | buffer | test.rs:259:26:259:32 | &buffer | provenance |  |
-| test.rs:275:19:275:30 | tokio_stream | test.rs:275:45:275:55 | [post] &mut buffer [&ref] | provenance | MaD:39 |
+| test.rs:275:19:275:30 | tokio_stream | test.rs:275:45:275:55 | [post] &mut buffer [&ref] | provenance | MaD:42 |
 | test.rs:275:45:275:55 | [post] &mut buffer [&ref] | test.rs:275:50:275:55 | [post] buffer | provenance |  |
 | test.rs:275:50:275:55 | [post] buffer | test.rs:282:27:282:32 | buffer | provenance |  |
 | test.rs:282:27:282:32 | buffer | test.rs:282:26:282:32 | &buffer | provenance |  |
@@ -423,6 +435,15 @@ nodes
 | test.rs:67:31:67:42 | send_request | semmle.label | send_request |
 | test.rs:68:10:68:18 | &response | semmle.label | &response |
 | test.rs:68:11:68:18 | response | semmle.label | response |
+| test.rs:76:18:76:25 | response | semmle.label | response |
+| test.rs:76:18:76:32 | response.body() | semmle.label | response.body() |
+| test.rs:77:18:77:25 | response | semmle.label | response |
+| test.rs:77:18:77:36 | response.body_mut() | semmle.label | response.body_mut() |
+| test.rs:79:17:79:20 | body | semmle.label | body |
+| test.rs:79:24:79:31 | response | semmle.label | response |
+| test.rs:79:24:79:43 | response.into_body() | semmle.label | response.into_body() |
+| test.rs:80:18:80:22 | &body | semmle.label | &body |
+| test.rs:80:19:80:22 | body | semmle.label | body |
 | test.rs:155:13:155:22 | mut stream | semmle.label | mut stream |
 | test.rs:155:26:155:53 | ...::connect | semmle.label | ...::connect |
 | test.rs:155:26:155:62 | ...::connect(...) [Ok] | semmle.label | ...::connect(...) [Ok] |
@@ -668,6 +689,9 @@ testFailures
 | test.rs:61:14:61:22 | &response | test.rs:60:31:60:42 | send_request | test.rs:61:14:61:22 | &response | $@ | test.rs:60:31:60:42 | send_request | send_request |
 | test.rs:62:14:62:21 | response | test.rs:60:31:60:42 | send_request | test.rs:62:14:62:21 | response | $@ | test.rs:60:31:60:42 | send_request | send_request |
 | test.rs:68:10:68:18 | &response | test.rs:67:31:67:42 | send_request | test.rs:68:10:68:18 | &response | $@ | test.rs:67:31:67:42 | send_request | send_request |
+| test.rs:76:18:76:32 | response.body() | test.rs:67:31:67:42 | send_request | test.rs:76:18:76:32 | response.body() | $@ | test.rs:67:31:67:42 | send_request | send_request |
+| test.rs:77:18:77:36 | response.body_mut() | test.rs:67:31:67:42 | send_request | test.rs:77:18:77:36 | response.body_mut() | $@ | test.rs:67:31:67:42 | send_request | send_request |
+| test.rs:80:18:80:22 | &body | test.rs:67:31:67:42 | send_request | test.rs:80:18:80:22 | &body | $@ | test.rs:67:31:67:42 | send_request | send_request |
 | test.rs:165:14:165:20 | &buffer | test.rs:155:26:155:53 | ...::connect | test.rs:165:14:165:20 | &buffer | $@ | test.rs:155:26:155:53 | ...::connect | ...::connect |
 | test.rs:166:14:166:22 | buffer[0] | test.rs:155:26:155:53 | ...::connect | test.rs:166:14:166:22 | buffer[0] | $@ | test.rs:155:26:155:53 | ...::connect | ...::connect |
 | test.rs:192:34:192:38 | &line | test.rs:174:26:174:61 | ...::connect_timeout | test.rs:192:34:192:38 | &line | $@ | test.rs:174:26:174:61 | ...::connect_timeout | ...::connect_timeout |
diff --git a/rust/ql/test/library-tests/dataflow/sources/net/test.rs b/rust/ql/test/library-tests/dataflow/sources/net/test.rs
index f029ac53805..2f51be773b7 100644
--- a/rust/ql/test/library-tests/dataflow/sources/net/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/net/test.rs
@@ -73,11 +73,11 @@ async fn test_hyper_http(case: i64) -> Result<(), Box<dyn std::error::Error>> {
 
     match case {
         1 => {
-            sink(response.body()); // $ MISSING: hasTaintFlow
-            sink(response.body_mut()); // $ MISSING: hasTaintFlow
+            sink(response.body()); // $ hasTaintFlow=request
+            sink(response.body_mut()); // $ hasTaintFlow=request
 
             let body = response.into_body();
-            sink(&body); // $ MISSING: hasTaintFlow
+            sink(&body); // $ hasTaintFlow=request
 
             println!("awaiting response...");
             let data = body.collect().await?;
diff --git a/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected b/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected
index d812380d9c7..e326a87c42d 100644
--- a/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected
+++ b/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected
@@ -1,8 +1,14 @@
 #select
+| main.rs:15:5:15:9 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:15:5:15:9 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
 | main.rs:16:5:16:9 | ...::log | main.rs:10:22:10:34 | ...::var | main.rs:16:5:16:9 | ...::log | Log entry depends on a $@. | main.rs:10:22:10:34 | ...::var | user-provided value |
 | main.rs:17:5:17:10 | ...::log | main.rs:11:23:11:44 | ...::get | main.rs:17:5:17:10 | ...::log | Log entry depends on a $@. | main.rs:11:23:11:44 | ...::get | user-provided value |
+| main.rs:18:5:18:10 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:18:5:18:10 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
 | main.rs:19:5:19:10 | ...::log | main.rs:10:22:10:34 | ...::var | main.rs:19:5:19:10 | ...::log | Log entry depends on a $@. | main.rs:10:22:10:34 | ...::var | user-provided value |
+| main.rs:23:5:23:9 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:23:5:23:9 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
+| main.rs:27:5:27:9 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:27:5:27:9 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
+| main.rs:30:5:30:9 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:30:5:30:9 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
 | main.rs:30:5:30:9 | ...::log | main.rs:11:23:11:44 | ...::get | main.rs:30:5:30:9 | ...::log | Log entry depends on a $@. | main.rs:11:23:11:44 | ...::get | user-provided value |
+| main.rs:66:5:66:9 | ...::log | main.rs:8:29:8:37 | ...::args | main.rs:66:5:66:9 | ...::log | Log entry depends on a $@. | main.rs:8:29:8:37 | ...::args | user-provided value |
 | main.rs:112:9:112:13 | ...::log | main.rs:109:25:109:38 | ...::args | main.rs:112:9:112:13 | ...::log | Log entry depends on a $@. | main.rs:109:25:109:38 | ...::args | user-provided value |
 | main.rs:113:9:113:13 | ...::log | main.rs:109:25:109:38 | ...::args | main.rs:113:9:113:13 | ...::log | Log entry depends on a $@. | main.rs:109:25:109:38 | ...::args | user-provided value |
 | main.rs:114:9:114:14 | ...::log | main.rs:109:25:109:38 | ...::args | main.rs:114:9:114:14 | ...::log | Log entry depends on a $@. | main.rs:109:25:109:38 | ...::args | user-provided value |
@@ -12,22 +18,59 @@
 | main.rs:126:9:126:16 | ...::_print | main.rs:123:25:123:37 | ...::var | main.rs:126:9:126:16 | ...::_print | Log entry depends on a $@. | main.rs:123:25:123:37 | ...::var | user-provided value |
 | main.rs:127:9:127:17 | ...::_eprint | main.rs:123:25:123:37 | ...::var | main.rs:127:9:127:17 | ...::_eprint | Log entry depends on a $@. | main.rs:123:25:123:37 | ...::var | user-provided value |
 edges
+| main.rs:8:9:8:12 | args [element] | main.rs:9:20:9:23 | args [element] | provenance |  |
+| main.rs:8:29:8:37 | ...::args | main.rs:8:29:8:39 | ...::args(...) [element] | provenance | Src:MaD:5  |
+| main.rs:8:29:8:39 | ...::args(...) [element] | main.rs:8:29:8:49 | ... .collect() [element] | provenance | MaD:9 |
+| main.rs:8:29:8:49 | ... .collect() [element] | main.rs:8:9:8:12 | args [element] | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:15:11:15:36 | MacroExpr | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:18:12:18:37 | MacroExpr | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:22:33:22:63 | MacroExpr | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:26:55:26:62 | username | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:30:11:30:66 | MacroExpr | provenance |  |
+| main.rs:9:9:9:16 | username | main.rs:52:29:52:36 | username | provenance |  |
+| main.rs:9:20:9:23 | args [element] | main.rs:9:20:9:30 | args.get(...) [Some, &ref] | provenance | MaD:12 |
+| main.rs:9:20:9:30 | args.get(...) [Some, &ref] | main.rs:9:20:9:64 | ... .unwrap_or(...) [&ref] | provenance | MaD:13 |
+| main.rs:9:20:9:64 | ... .unwrap_or(...) [&ref] | main.rs:9:20:9:72 | ... .clone() | provenance | MaD:8 |
+| main.rs:9:20:9:72 | ... .clone() | main.rs:9:9:9:16 | username | provenance |  |
 | main.rs:10:9:10:18 | user_input | main.rs:16:11:16:44 | MacroExpr | provenance |  |
 | main.rs:10:9:10:18 | user_input | main.rs:19:12:19:39 | MacroExpr | provenance |  |
 | main.rs:10:22:10:34 | ...::var | main.rs:10:22:10:48 | ...::var(...) [Ok] | provenance | Src:MaD:6  |
-| main.rs:10:22:10:48 | ...::var(...) [Ok] | main.rs:10:22:10:81 | ... .unwrap_or(...) | provenance | MaD:10 |
+| main.rs:10:22:10:48 | ...::var(...) [Ok] | main.rs:10:22:10:81 | ... .unwrap_or(...) | provenance | MaD:16 |
 | main.rs:10:22:10:81 | ... .unwrap_or(...) | main.rs:10:9:10:18 | user_input | provenance |  |
 | main.rs:11:9:11:19 | remote_data | main.rs:17:12:17:46 | MacroExpr | provenance |  |
 | main.rs:11:9:11:19 | remote_data | main.rs:30:11:30:66 | MacroExpr | provenance |  |
 | main.rs:11:23:11:44 | ...::get | main.rs:11:23:11:71 | ...::get(...) [Ok] | provenance | Src:MaD:4  |
-| main.rs:11:23:11:71 | ...::get(...) [Ok] | main.rs:11:23:12:17 | ... .unwrap() | provenance | MaD:9 |
-| main.rs:11:23:12:17 | ... .unwrap() | main.rs:11:23:12:24 | ... .text() [Ok] | provenance | MaD:12 |
-| main.rs:11:23:12:24 | ... .text() [Ok] | main.rs:11:23:12:61 | ... .unwrap_or(...) | provenance | MaD:10 |
+| main.rs:11:23:11:71 | ...::get(...) [Ok] | main.rs:11:23:12:17 | ... .unwrap() | provenance | MaD:15 |
+| main.rs:11:23:12:17 | ... .unwrap() | main.rs:11:23:12:24 | ... .text() [Ok] | provenance | MaD:18 |
+| main.rs:11:23:12:24 | ... .text() [Ok] | main.rs:11:23:12:61 | ... .unwrap_or(...) | provenance | MaD:16 |
 | main.rs:11:23:12:61 | ... .unwrap_or(...) | main.rs:11:9:11:19 | remote_data | provenance |  |
+| main.rs:15:11:15:36 | MacroExpr | main.rs:15:5:15:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:16:11:16:44 | MacroExpr | main.rs:16:5:16:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:17:12:17:46 | MacroExpr | main.rs:17:5:17:10 | ...::log | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:18:12:18:37 | MacroExpr | main.rs:18:5:18:10 | ...::log | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:19:12:19:39 | MacroExpr | main.rs:19:5:19:10 | ...::log | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:22:9:22:21 | formatted_msg | main.rs:23:11:23:29 | MacroExpr | provenance |  |
+| main.rs:22:33:22:63 | ...::format(...) | main.rs:22:33:22:63 | { ... } | provenance |  |
+| main.rs:22:33:22:63 | ...::must_use(...) | main.rs:22:9:22:21 | formatted_msg | provenance |  |
+| main.rs:22:33:22:63 | MacroExpr | main.rs:22:33:22:63 | ...::format(...) | provenance | MaD:19 |
+| main.rs:22:33:22:63 | { ... } | main.rs:22:33:22:63 | ...::must_use(...) | provenance | MaD:20 |
+| main.rs:23:11:23:29 | MacroExpr | main.rs:23:5:23:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:26:9:26:18 | concat_msg | main.rs:27:11:27:26 | MacroExpr | provenance |  |
+| main.rs:26:22:26:62 | ... + ... | main.rs:26:9:26:18 | concat_msg | provenance |  |
+| main.rs:26:54:26:62 | &username [&ref] | main.rs:26:22:26:62 | ... + ... | provenance | MaD:11 |
+| main.rs:26:55:26:62 | username | main.rs:26:54:26:62 | &username [&ref] | provenance |  |
+| main.rs:27:11:27:26 | MacroExpr | main.rs:27:5:27:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:30:11:30:66 | MacroExpr | main.rs:30:5:30:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:52:28:52:36 | &username [&ref] | main.rs:56:27:56:40 | ...: ... [&ref] | provenance |  |
+| main.rs:52:29:52:36 | username | main.rs:52:28:52:36 | &username [&ref] | provenance |  |
+| main.rs:56:27:56:40 | ...: ... [&ref] | main.rs:65:38:65:45 | username [&ref] | provenance |  |
+| main.rs:65:9:65:17 | user_info [UserInfo] | main.rs:66:28:66:36 | user_info [UserInfo] | provenance |  |
+| main.rs:65:21:65:59 | UserInfo {...} [UserInfo] | main.rs:65:9:65:17 | user_info [UserInfo] | provenance |  |
+| main.rs:65:38:65:45 | username [&ref] | main.rs:65:38:65:57 | username.to_string() | provenance | MaD:7 |
+| main.rs:65:38:65:57 | username.to_string() | main.rs:65:21:65:59 | UserInfo {...} [UserInfo] | provenance |  |
+| main.rs:66:11:66:41 | MacroExpr | main.rs:66:5:66:9 | ...::log | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:66:28:66:36 | user_info [UserInfo] | main.rs:66:28:66:41 | user_info.name | provenance |  |
+| main.rs:66:28:66:41 | user_info.name | main.rs:66:11:66:41 | MacroExpr | provenance |  |
 | main.rs:109:13:109:21 | user_data | main.rs:112:15:112:35 | MacroExpr | provenance |  |
 | main.rs:109:13:109:21 | user_data | main.rs:113:15:113:38 | MacroExpr | provenance |  |
 | main.rs:109:13:109:21 | user_data | main.rs:114:16:114:37 | MacroExpr | provenance |  |
@@ -35,8 +78,8 @@ edges
 | main.rs:109:13:109:21 | user_data | main.rs:116:16:116:37 | MacroExpr | provenance |  |
 | main.rs:109:13:109:21 | user_data | main.rs:119:15:119:75 | MacroExpr | provenance |  |
 | main.rs:109:25:109:38 | ...::args | main.rs:109:25:109:40 | ...::args(...) [element] | provenance | Src:MaD:5  |
-| main.rs:109:25:109:40 | ...::args(...) [element] | main.rs:109:25:109:47 | ... .nth(...) [Some] | provenance | MaD:7 |
-| main.rs:109:25:109:47 | ... .nth(...) [Some] | main.rs:109:25:109:67 | ... .unwrap_or_default() | provenance | MaD:8 |
+| main.rs:109:25:109:40 | ...::args(...) [element] | main.rs:109:25:109:47 | ... .nth(...) [Some] | provenance | MaD:10 |
+| main.rs:109:25:109:47 | ... .nth(...) [Some] | main.rs:109:25:109:67 | ... .unwrap_or_default() | provenance | MaD:14 |
 | main.rs:109:25:109:67 | ... .unwrap_or_default() | main.rs:109:13:109:21 | user_data | provenance |  |
 | main.rs:112:15:112:35 | MacroExpr | main.rs:112:9:112:13 | ...::log | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:113:15:113:38 | MacroExpr | main.rs:113:9:113:13 | ...::log | provenance | MaD:1 Sink:MaD:1 |
@@ -47,7 +90,7 @@ edges
 | main.rs:123:13:123:21 | user_data | main.rs:126:18:126:38 | MacroExpr | provenance |  |
 | main.rs:123:13:123:21 | user_data | main.rs:127:19:127:49 | MacroExpr | provenance |  |
 | main.rs:123:25:123:37 | ...::var | main.rs:123:25:123:45 | ...::var(...) [Ok] | provenance | Src:MaD:6  |
-| main.rs:123:25:123:45 | ...::var(...) [Ok] | main.rs:123:25:123:65 | ... .unwrap_or_default() | provenance | MaD:11 |
+| main.rs:123:25:123:45 | ...::var(...) [Ok] | main.rs:123:25:123:65 | ... .unwrap_or_default() | provenance | MaD:17 |
 | main.rs:123:25:123:65 | ... .unwrap_or_default() | main.rs:123:13:123:21 | user_data | provenance |  |
 | main.rs:126:18:126:38 | MacroExpr | main.rs:126:9:126:16 | ...::_print | provenance | MaD:3 Sink:MaD:3 |
 | main.rs:127:19:127:49 | MacroExpr | main.rs:127:9:127:17 | ...::_eprint | provenance | MaD:2 Sink:MaD:2 |
@@ -58,13 +101,30 @@ models
 | 4 | Source: reqwest::blocking::get; ReturnValue.Field[core::result::Result::Ok(0)]; remote |
 | 5 | Source: std::env::args; ReturnValue.Element; commandargs |
 | 6 | Source: std::env::var; ReturnValue.Field[core::result::Result::Ok(0)]; environment |
-| 7 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Reference.Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
-| 8 | Summary: <core::option::Option>::unwrap_or_default; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
-| 9 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 10 | Summary: <core::result::Result>::unwrap_or; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 11 | Summary: <core::result::Result>::unwrap_or_default; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 12 | Summary: <reqwest::blocking::response::Response>::text; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 7 | Summary: <_ as alloc::string::ToString>::to_string; Argument[self].Reference; ReturnValue; taint |
+| 8 | Summary: <_ as core::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
+| 9 | Summary: <_ as core::iter::traits::iterator::Iterator>::collect; Argument[self].Element; ReturnValue.Element; value |
+| 10 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Reference.Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
+| 11 | Summary: <alloc::string::String as core::ops::arith::Add>::add; Argument[0].Reference; ReturnValue; taint |
+| 12 | Summary: <alloc::vec::Vec as core::ops::deref::Deref>::deref; Argument[self].Reference.Element; ReturnValue.Reference.Element; value |
+| 13 | Summary: <core::option::Option>::unwrap_or; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 14 | Summary: <core::option::Option>::unwrap_or_default; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 15 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 16 | Summary: <core::result::Result>::unwrap_or; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 17 | Summary: <core::result::Result>::unwrap_or_default; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 18 | Summary: <reqwest::blocking::response::Response>::text; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 19 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
+| 20 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
+| main.rs:8:9:8:12 | args [element] | semmle.label | args [element] |
+| main.rs:8:29:8:37 | ...::args | semmle.label | ...::args |
+| main.rs:8:29:8:39 | ...::args(...) [element] | semmle.label | ...::args(...) [element] |
+| main.rs:8:29:8:49 | ... .collect() [element] | semmle.label | ... .collect() [element] |
+| main.rs:9:9:9:16 | username | semmle.label | username |
+| main.rs:9:20:9:23 | args [element] | semmle.label | args [element] |
+| main.rs:9:20:9:30 | args.get(...) [Some, &ref] | semmle.label | args.get(...) [Some, &ref] |
+| main.rs:9:20:9:64 | ... .unwrap_or(...) [&ref] | semmle.label | ... .unwrap_or(...) [&ref] |
+| main.rs:9:20:9:72 | ... .clone() | semmle.label | ... .clone() |
 | main.rs:10:9:10:18 | user_input | semmle.label | user_input |
 | main.rs:10:22:10:34 | ...::var | semmle.label | ...::var |
 | main.rs:10:22:10:48 | ...::var(...) [Ok] | semmle.label | ...::var(...) [Ok] |
@@ -75,14 +135,42 @@ nodes
 | main.rs:11:23:12:17 | ... .unwrap() | semmle.label | ... .unwrap() |
 | main.rs:11:23:12:24 | ... .text() [Ok] | semmle.label | ... .text() [Ok] |
 | main.rs:11:23:12:61 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
+| main.rs:15:5:15:9 | ...::log | semmle.label | ...::log |
+| main.rs:15:11:15:36 | MacroExpr | semmle.label | MacroExpr |
 | main.rs:16:5:16:9 | ...::log | semmle.label | ...::log |
 | main.rs:16:11:16:44 | MacroExpr | semmle.label | MacroExpr |
 | main.rs:17:5:17:10 | ...::log | semmle.label | ...::log |
 | main.rs:17:12:17:46 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:18:5:18:10 | ...::log | semmle.label | ...::log |
+| main.rs:18:12:18:37 | MacroExpr | semmle.label | MacroExpr |
 | main.rs:19:5:19:10 | ...::log | semmle.label | ...::log |
 | main.rs:19:12:19:39 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:22:9:22:21 | formatted_msg | semmle.label | formatted_msg |
+| main.rs:22:33:22:63 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:22:33:22:63 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:22:33:22:63 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:22:33:22:63 | { ... } | semmle.label | { ... } |
+| main.rs:23:5:23:9 | ...::log | semmle.label | ...::log |
+| main.rs:23:11:23:29 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:26:9:26:18 | concat_msg | semmle.label | concat_msg |
+| main.rs:26:22:26:62 | ... + ... | semmle.label | ... + ... |
+| main.rs:26:54:26:62 | &username [&ref] | semmle.label | &username [&ref] |
+| main.rs:26:55:26:62 | username | semmle.label | username |
+| main.rs:27:5:27:9 | ...::log | semmle.label | ...::log |
+| main.rs:27:11:27:26 | MacroExpr | semmle.label | MacroExpr |
 | main.rs:30:5:30:9 | ...::log | semmle.label | ...::log |
 | main.rs:30:11:30:66 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:52:28:52:36 | &username [&ref] | semmle.label | &username [&ref] |
+| main.rs:52:29:52:36 | username | semmle.label | username |
+| main.rs:56:27:56:40 | ...: ... [&ref] | semmle.label | ...: ... [&ref] |
+| main.rs:65:9:65:17 | user_info [UserInfo] | semmle.label | user_info [UserInfo] |
+| main.rs:65:21:65:59 | UserInfo {...} [UserInfo] | semmle.label | UserInfo {...} [UserInfo] |
+| main.rs:65:38:65:45 | username [&ref] | semmle.label | username [&ref] |
+| main.rs:65:38:65:57 | username.to_string() | semmle.label | username.to_string() |
+| main.rs:66:5:66:9 | ...::log | semmle.label | ...::log |
+| main.rs:66:11:66:41 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:66:28:66:36 | user_info [UserInfo] | semmle.label | user_info [UserInfo] |
+| main.rs:66:28:66:41 | user_info.name | semmle.label | user_info.name |
 | main.rs:109:13:109:21 | user_data | semmle.label | user_data |
 | main.rs:109:25:109:38 | ...::args | semmle.label | ...::args |
 | main.rs:109:25:109:40 | ...::args(...) [element] | semmle.label | ...::args(...) [element] |
diff --git a/rust/ql/test/query-tests/security/CWE-117/main.rs b/rust/ql/test/query-tests/security/CWE-117/main.rs
index f5001846d1b..9fb3558b3d2 100644
--- a/rust/ql/test/query-tests/security/CWE-117/main.rs
+++ b/rust/ql/test/query-tests/security/CWE-117/main.rs
@@ -5,29 +5,29 @@ fn main() {
     env_logger::init();
 
     // Sources of user input
-    let args: Vec<String> = env::args().collect();
-    let username = args.get(1).unwrap_or(&String::from("Guest")).clone(); // $ MISSING: Source=commandargs
+    let args: Vec<String> = env::args().collect(); // $ Source=commandargs
+    let username = args.get(1).unwrap_or(&String::from("Guest")).clone();
     let user_input = std::env::var("USER_INPUT").unwrap_or("default".to_string()); // $ Source=environment
     let remote_data = reqwest::blocking::get("http://example.com/user") // $ Source=remote
         .unwrap().text().unwrap_or("remote_user".to_string());
 
     // BAD: Direct logging of user input
-    info!("User login: {}", username); // $ MISSING: Alert[rust/log-injection]
+    info!("User login: {}", username); // $ Alert[rust/log-injection]=commandargs
     warn!("Warning for user: {}", user_input); // $ Alert[rust/log-injection]=environment
     error!("Error processing: {}", remote_data); // $ Alert[rust/log-injection]=remote
-    debug!("Debug info: {}", username); // $ MISSING: Alert[rust/log-injection]
+    debug!("Debug info: {}", username); // $ Alert[rust/log-injection]=commandargs
     trace!("Trace data: {}", user_input); // $ Alert[rust/log-injection]=environment
 
     // BAD: Formatted strings with user input
     let formatted_msg = format!("Processing user: {}", username);
-    info!("{}", formatted_msg); // $ MISSING: Alert[rust/log-injection]
+    info!("{}", formatted_msg); // $ Alert[rust/log-injection]=commandargs
 
     // BAD: String concatenation with user input
     let concat_msg = "User activity: ".to_string() + &username;
-    info!("{}", concat_msg); // $ MISSING: Alert[rust/log-injection]
+    info!("{}", concat_msg); // $ Alert[rust/log-injection]=commandargs
 
     // BAD: Complex formatting
-    info!("User {} accessed resource at {}", username, remote_data); // $ Alert[rust/log-injection]=remote
+    info!("User {} accessed resource at {}", username, remote_data); // $ Alert[rust/log-injection]=remote Alert[rust/log-injection]=commandargs
 
     // GOOD: Sanitized input
     let sanitized_username = username.replace('\n', "").replace('\r', "");
@@ -63,7 +63,7 @@ fn test_complex_scenarios(username: &str, user_input: &str) {
 
     // BAD: Through struct fields
     let user_info = UserInfo { name: username.to_string() };
-    info!("User info: {}", user_info.name); // $ MISSING: Alert[rust/log-injection]
+    info!("User info: {}", user_info.name); // $ Alert[rust/log-injection]=commandargs
 
     // GOOD: After sanitization
     let clean_input = sanitize_input(user_input);
diff --git a/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected b/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected
index bbc67f6fd18..dd4fd929404 100644
--- a/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected
+++ b/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected
@@ -15,6 +15,7 @@
 | main.rs:109:4:109:34 | danger_accept_invalid_hostnames | main.rs:107:17:107:31 | ...::exists | main.rs:109:4:109:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:115:4:115:34 | danger_accept_invalid_hostnames | main.rs:113:43:113:50 | metadata | main.rs:115:4:115:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | main.rs:119:11:119:27 | ...::metadata | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
+| main.rs:134:4:134:34 | danger_accept_invalid_hostnames | main.rs:129:14:129:27 | ...::stdin | main.rs:134:4:134:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | main.rs:144:39:144:42 | true | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 edges
 | main.rs:4:32:4:35 | true | main.rs:4:4:4:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
@@ -37,21 +38,33 @@ edges
 | main.rs:93:32:93:47 | sometimes_global | main.rs:93:4:93:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:107:6:107:7 | b1 | main.rs:109:36:109:37 | b1 | provenance |  |
 | main.rs:107:17:107:31 | ...::exists | main.rs:107:17:107:42 | ...::exists(...) [Ok] | provenance | Src:MaD:8  |
-| main.rs:107:17:107:42 | ...::exists(...) [Ok] | main.rs:107:17:107:51 | ... .unwrap() | provenance | MaD:10 |
+| main.rs:107:17:107:42 | ...::exists(...) [Ok] | main.rs:107:17:107:51 | ... .unwrap() | provenance | MaD:13 |
 | main.rs:107:17:107:51 | ... .unwrap() | main.rs:107:6:107:7 | b1 | provenance |  |
 | main.rs:109:36:109:37 | b1 | main.rs:109:4:109:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
 | main.rs:113:6:113:7 | b2 | main.rs:115:36:115:37 | b2 | provenance |  |
-| main.rs:113:11:113:52 | ... .metadata() [Ok] | main.rs:113:11:113:61 | ... .unwrap() | provenance | MaD:10 |
-| main.rs:113:11:113:61 | ... .unwrap() | main.rs:113:11:113:71 | ... .is_file() | provenance | MaD:12 |
+| main.rs:113:11:113:52 | ... .metadata() [Ok] | main.rs:113:11:113:61 | ... .unwrap() | provenance | MaD:13 |
+| main.rs:113:11:113:61 | ... .unwrap() | main.rs:113:11:113:71 | ... .is_file() | provenance | MaD:16 |
 | main.rs:113:11:113:71 | ... .is_file() | main.rs:113:6:113:7 | b2 | provenance |  |
 | main.rs:113:43:113:50 | metadata | main.rs:113:11:113:52 | ... .metadata() [Ok] | provenance | Src:MaD:7  |
 | main.rs:115:36:115:37 | b2 | main.rs:115:4:115:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
 | main.rs:119:6:119:7 | b3 | main.rs:121:36:121:37 | b3 | provenance |  |
 | main.rs:119:11:119:27 | ...::metadata | main.rs:119:11:119:38 | ...::metadata(...) [Ok] | provenance | Src:MaD:9  |
-| main.rs:119:11:119:38 | ...::metadata(...) [Ok] | main.rs:119:11:119:47 | ... .unwrap() | provenance | MaD:10 |
-| main.rs:119:11:119:47 | ... .unwrap() | main.rs:119:11:119:56 | ... .is_dir() | provenance | MaD:11 |
+| main.rs:119:11:119:38 | ...::metadata(...) [Ok] | main.rs:119:11:119:47 | ... .unwrap() | provenance | MaD:13 |
+| main.rs:119:11:119:47 | ... .unwrap() | main.rs:119:11:119:56 | ... .is_dir() | provenance | MaD:15 |
 | main.rs:119:11:119:56 | ... .is_dir() | main.rs:119:6:119:7 | b3 | provenance |  |
 | main.rs:121:36:121:37 | b3 | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
+| main.rs:129:6:129:10 | input | main.rs:130:2:130:6 | input | provenance |  |
+| main.rs:129:14:129:27 | ...::stdin | main.rs:129:14:129:29 | ...::stdin(...) | provenance | Src:MaD:10 MaD:10 |
+| main.rs:129:14:129:29 | ...::stdin(...) | main.rs:129:6:129:10 | input | provenance |  |
+| main.rs:130:2:130:6 | input | main.rs:130:18:130:32 | [post] &mut input_line [&ref] | provenance | MaD:17 |
+| main.rs:130:18:130:32 | [post] &mut input_line [&ref] | main.rs:130:23:130:32 | [post] input_line | provenance |  |
+| main.rs:130:23:130:32 | [post] input_line | main.rs:132:17:132:26 | input_line | provenance |  |
+| main.rs:132:6:132:7 | b4 | main.rs:134:36:134:37 | b4 | provenance |  |
+| main.rs:132:17:132:26 | input_line | main.rs:132:17:132:42 | input_line.parse() [Ok] | provenance | MaD:11 |
+| main.rs:132:17:132:26 | input_line | main.rs:132:17:132:42 | input_line.parse() [Ok] | provenance | MaD:12 |
+| main.rs:132:17:132:42 | input_line.parse() [Ok] | main.rs:132:17:132:59 | ... .unwrap_or(...) | provenance | MaD:14 |
+| main.rs:132:17:132:59 | ... .unwrap_or(...) | main.rs:132:6:132:7 | b4 | provenance |  |
+| main.rs:134:36:134:37 | b4 | main.rs:134:4:134:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
 | main.rs:144:6:144:7 | b6 | main.rs:146:36:146:37 | b6 | provenance |  |
 | main.rs:144:39:144:42 | true | main.rs:144:6:144:7 | b6 | provenance |  |
 | main.rs:146:36:146:37 | b6 | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
@@ -66,9 +79,14 @@ models
 | 7 | Source: <std::path::Path>::metadata; ReturnValue.Field[core::result::Result::Ok(0)]; file |
 | 8 | Source: std::fs::exists; ReturnValue.Field[core::result::Result::Ok(0)]; file |
 | 9 | Source: std::fs::metadata; ReturnValue.Field[core::result::Result::Ok(0)]; file |
-| 10 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 11 | Summary: <std::fs::Metadata>::is_dir; Argument[self].Reference; ReturnValue; taint |
-| 12 | Summary: <std::fs::Metadata>::is_file; Argument[self].Reference; ReturnValue; taint |
+| 10 | Source: std::io::stdio::stdin; ReturnValue; stdin |
+| 11 | Summary: <_ as core::ops::deref::Deref>::deref; Argument[self].Reference; ReturnValue.Reference; taint |
+| 12 | Summary: <alloc::string::String as core::ops::deref::Deref>::deref; Argument[self]; ReturnValue; value |
+| 13 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 14 | Summary: <core::result::Result>::unwrap_or; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 15 | Summary: <std::fs::Metadata>::is_dir; Argument[self].Reference; ReturnValue; taint |
+| 16 | Summary: <std::fs::Metadata>::is_file; Argument[self].Reference; ReturnValue; taint |
+| 17 | Summary: <std::io::stdio::Stdin>::read_line; Argument[self].Reference; Argument[0].Reference; taint |
 nodes
 | main.rs:4:4:4:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
 | main.rs:4:32:4:35 | true | semmle.label | true |
@@ -121,6 +139,18 @@ nodes
 | main.rs:119:11:119:56 | ... .is_dir() | semmle.label | ... .is_dir() |
 | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
 | main.rs:121:36:121:37 | b3 | semmle.label | b3 |
+| main.rs:129:6:129:10 | input | semmle.label | input |
+| main.rs:129:14:129:27 | ...::stdin | semmle.label | ...::stdin |
+| main.rs:129:14:129:29 | ...::stdin(...) | semmle.label | ...::stdin(...) |
+| main.rs:130:2:130:6 | input | semmle.label | input |
+| main.rs:130:18:130:32 | [post] &mut input_line [&ref] | semmle.label | [post] &mut input_line [&ref] |
+| main.rs:130:23:130:32 | [post] input_line | semmle.label | [post] input_line |
+| main.rs:132:6:132:7 | b4 | semmle.label | b4 |
+| main.rs:132:17:132:26 | input_line | semmle.label | input_line |
+| main.rs:132:17:132:42 | input_line.parse() [Ok] | semmle.label | input_line.parse() [Ok] |
+| main.rs:132:17:132:59 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
+| main.rs:134:4:134:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
+| main.rs:134:36:134:37 | b4 | semmle.label | b4 |
 | main.rs:144:6:144:7 | b6 | semmle.label | b6 |
 | main.rs:144:39:144:42 | true | semmle.label | true |
 | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
diff --git a/rust/ql/test/query-tests/security/CWE-295/main.rs b/rust/ql/test/query-tests/security/CWE-295/main.rs
index 6088e6fc1be..e8c20c1d6df 100644
--- a/rust/ql/test/query-tests/security/CWE-295/main.rs
+++ b/rust/ql/test/query-tests/security/CWE-295/main.rs
@@ -126,12 +126,12 @@ fn test_threat_model_source() {
 	// (these are a little closer to something real)
 
 	let mut input_line = String::new();
-	let input = std::io::stdin();
+	let input = std::io::stdin(); // $ Source=stdin
 	input.read_line(&mut input_line).unwrap();
 
 	let b4: bool = input_line.parse::<bool>().unwrap_or(false);
 	let _client = native_tls::TlsConnector::builder()
-		.danger_accept_invalid_hostnames(b4) // $ MISSING: Alert[rust/disabled-certificate-check]=stdin
+		.danger_accept_invalid_hostnames(b4) // $ Alert[rust/disabled-certificate-check]=stdin
 		.build()
 		.unwrap();