From faf69b821ba152f81fcf954a3ed1c1b4fa66a0bc Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 28 Nov 2025 17:09:08 +0000
Subject: [PATCH] Rust: Add sinks as barriers to prevent duplicate results.

---
 .../queries/security/CWE-798/HardcodedCryptographicValue.ql  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
index f5a43c5419c..c8e6c9932cb 100644
--- a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
+++ b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
@@ -39,6 +39,11 @@ module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
     //  case like `[0, 0, 0, 0]`)
     isSource(node)
   }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    // make sinks barriers so that we only report the closest instance
+    isSink(node)
+  }
 }
 
 module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;