Rust: Add sinks as barriers to prevent duplicate results.

geoffw0 · geoffw0 · commit faf69b821ba1 · 2025-12-01T12:39:13.000Z
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
@@ -39,6 +39,11 @@ module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
     //  case like `[0, 0, 0, 0]`)
     isSource(node)
   }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    // make sinks barriers so that we only report the closest instance
+    isSink(node)
+  }
 }
 
 module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,11 @@ module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {`
`39`	`39`	// case like `[0, 0, 0, 0]`)
`40`	`40`	`isSource(node)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate isBarrierOut(DataFlow::Node node) {`
	`44`	`+ // make sinks barriers so that we only report the closest instance`
	`45`	`+ isSink(node)`
	`46`	`+ }`
`42`	`47`	`}`
`43`	`48`
`44`	`49`	`module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;`