Rust: Model mysql and mysql_async query sinks

[geoffw0]

Model mysql and mysql_async query sinks (sources will follow in another PR).

[Copilot]

Pull Request Overview

Adds SQL injection sink models for the mysql and mysql_async Rust libraries to improve security analysis coverage.

• Introduces sink models for various query methods in both sync and async MySQL libraries
• Includes comprehensive test coverage demonstrating SQL injection detection
• Updates documentation to reflect the newly supported frameworks

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
rust/ql/test/query-tests/security/CWE-089/options.yml	Adds mysql and mysql_async dependencies for testing
rust/ql/test/query-tests/security/CWE-089/mysql.rs	Test file demonstrating both safe and unsafe MySQL query patterns
rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected	Expected test results showing proper SQL injection detection
rust/ql/lib/codeql/rust/frameworks/mysql.model.yml	Sink models for synchronous mysql library query methods
rust/ql/lib/codeql/rust/frameworks/mysql-async.model.yml	Sink models for asynchronous mysql_async library query methods
rust/ql/lib/change-notes/2025-10-10-mysql.md	Change note documenting the new library support
docs/codeql/reusables/supported-frameworks.rst	Documentation update listing the new supported frameworks

[Copilot]

Pull Request Overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated no new comments.

[geoffw0]

DCA LGTM.

[paldepind]

Models look good to me. I got thrown off by some of the formatting so I'd suggest that we format the tests with rustfmt to make things more uniform and easier to read.

[paldepind]

What are these commas here and below?

                                                                  here
                                                                   v
        let _ : Vec<i64> = conn.exec(&stmt, (remote_string.as_str(),))?;

[geoffw0]

It's one of those funny corners of languages - this is required to disambiguate a tuple with one element from ordinary parenthesis in Rust. See here.

[paldepind]

Ah! Thanks.

[geoffw0]

I'd suggest that we format the tests with rustfmt to make things more uniform and easier to read.

I'm generally against formatting tests, at least uniformly, as we should aim to have a high diversity of code in tests and auto formatting reduces it. I'm happy to address specific areas of confusion, and perhaps even format whole files in certain cases - but I don't want us to get anywhere close to this being a requirement (in tests).

[geoffw0]

I have formatted just this test file.

[paldepind]

Thanks. From my point of view, I find auto-formatted code nicer to read and since formatting mostly only affect parsing, and rust_analyzer handles parsing, I'd think it wouldn't be something we'd have to test much. But that's just my preference :)

[geoffw0]

I'd think it wouldn't be something we'd have to test much.

True. It's probably fine if 90% of tests are formatted for ease of reading.

[geoffw0]

@paldepind would you mind re-approving this?

[geoffw0]

Thanks!