Rust: update docs

[redsun82]

This should be kept unmerged until we get to the public preview phase.

[geoffw0]

A few more libraries we model (partial support, but then I don't think we can claim to fully model any libraries). Sorry I probably missed a few of these in the list I sent you before.

We also have models for the standard io library coming in #19304 , I should update that PR once this is merged or vice-versa.

[geoffw0]

The two docs + other changes look great to me!

Some minor suggestions below.

"CodeQL library for Rust" doesn't go into a lot of detail, I think that's OK at this stage, it would be nice to have more example code in future.

I haven't checked the links, references to notes, and generally that everything fits together correctly - we really need a full preview for that and/or to be ready to correct any problems quickly after this goes live.

You should probably get a review from the docs team next?

[geoffw0]

We should strongly consider adding helper predicates getParamName and getArgName to make code like this a bit cleaner?

[redsun82]

Good idea! I already cleaned up getting by index (it was f.getParamList().getParam(index)), but a getParamByName seems a good addition too!

[geoffw0]

Yep, I noticed that. 👍

[geoffw0]

I'm not clear what "it" is, and I think these few words are superfluous anyway.

Suggested change

	Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program
	to exploit it. Related to data flow, is the taint-tracking library, which finds how data can *influence* other values
	Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program. Related to data flow is the taint-tracking library, which finds how data can *influence* other values

[geoffw0]

This hasn't been addressed yet.

[redsun82]

I was sure I did, sorry!

[geoffw0]

I'm appreciative of the automation here!

[hvitved]

I actually don't think those predicates exist yet.

[sunbrye]

Reviewing on behalf of the docs team. I've added editorial suggestions, but aside from that, this looks good to me ✅

[sunbrye]

Suggested change

	Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.
	Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before using more complex tracking, consider local tracking, as it is sufficient for many queries.

[sunbrye]

Styling NIT: Remove the extra new line here.

Please feel free to ignore this comment if it should stay as is

[sunbrye]

Suggested change

	Note that since ``asExpr`` maps from data-flow to control-flow nodes, you then need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node,
	for example by writing ``node.asExpr().getExpr()``.
	Note that because ``asExpr`` maps from data-flow to control-flow nodes, you need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node. For example, you can write ``node.asExpr().getExpr()``.

[sunbrye]

Suggested change

	You can apply the predicate recursively, by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.
	You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.

[sunbrye]

Suggested change

	You can apply the predicate recursively, by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localTaint``.
	You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localTaint``.

[sunbrye]

Suggested change

	When exploring local data flow or taint propagation between two expressions as above, you would normally constrain the expressions to be relevant to your investigation.
	When exploring local data flow or taint propagation between two expressions, such as in the previous example, you typically constrain the expressions to those relevant to your investigation.

[sunbrye]

Suggested change

	The next section gives some concrete examples, but first it's helpful to introduce the concept of a local source.
	A local source is a data-flow node with no local data flow into it.
	As such, it is a local origin of data flow, a place where a new value is created.
	This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
	The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
	It comes with a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.
	The next section provides concrete examples, but first introduces the concept of a local source.
	A local source is a data-flow node with no local data flow into it.
	It is a local origin of data flow, a place where a new value is created.
	This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
	The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
	It includes a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.

[sunbrye]

Suggested change

	- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When you're analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
	- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.

[sunbrye]

Suggested change

	When you're analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
	When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.

[sunbrye]

Suggested change

	Unfortunately this will only give the expression in the argument, not the values which could be passed to it.
	So we use local data flow to find all expressions that flow into the argument:
	Unfortunately, this only returns the expression used as the argument, not the possible values that could be passed to it. To address this, you can use local data flow to find all expressions that flow into the argument.

[sunbrye]

Suggested change

	We can vary the source, for example, making the source the parameter of a function rather than an expression. The following query finds where a parameter is used for the file creation:
	You can vary the source by making the source the parameter of a function instead of an expression. The following query finds where a parameter is used in file creation:

[sunbrye]

Suggested change

	Global taint tracking is to global data flow what local taint tracking is to local data flow.
	That is, global taint tracking extends global data flow with additional non-value-preserving steps.
	The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using ``TaintTracking::Global``:
	Global taint tracking relates to global data flow in the same way that local taint tracking relates to local data flow.
	In other words, global taint tracking extends global data flow with additional non-value-preserving steps.
	The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using ``TaintTracking::Global``:

[sunbrye]

Suggested change

	- The sources and sinks may need tuning to a particular use, for example, if passwords are represented by a type other than ``String`` or passed in arguments of a different name than "password".
	- The sources and sinks may need to be adjusted for a particular use. For example, passwords might be represented by a type other than ``String`` or passed in arguments with a different name than "password".

[sunbrye]

Suggested change

	The library is implemented as a set of CodeQL modules, that is, files with the extension ``.qll``. The
	The library is implemented as a set of CodeQL modules, which are files with the extension ``.qll``. The

[sunbrye]

Suggested change

	to match syntactic elements in the source code. This can be used for example to find values, patterns and structures.
	to match syntactic elements in the source code. This can be used to find values, patterns, and structures.

[sunbrye]

Suggested change

	The control flow graph (CFG) is imported using
	The control flow graph (CFG) is imported using:

[sunbrye]

Suggested change

	The CFG models the control flow between statements and expressions, for example whether one expression can
	be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
	expression must flow through another expression first.
	The CFG models the control flow between statements and expressions. For example, it can determine whether one expression can
	be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
	expression must flow through another expression first.

[sunbrye]

Suggested change

	The data flow library is imported using
	The data flow library is imported using:

[sunbrye]

Suggested change

	Data flow tracks the flow of data through the program, including through function calls (interprocedural data flow) and between steps in a job or workflow.
	Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program. Related to data flow is the taint-tracking library,
	which finds how data can *influence* other values in a program, even when it is not copied exactly.
	Data flow tracks the flow of data through the program, including across function calls (interprocedural data flow) and between steps in a job or workflow.
	Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program. The taint-tracking library is related to data flow,
	and helps you find how data can *influence* other values in a program, even when it is not copied exactly.