Rust: Adjust the taint reach metric for better stability.

Author: geoffw0

rust/ql/src/queries/summary/TaintReach.qll

@@ -7,6 +7,7 @@ import rust
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.TaintTracking
+private import codeql.rust.dataflow.internal.Node
 
 /**
  * A taint configuration for taint reach (flow to any node from any modeled source).
@@ -21,11 +22,17 @@ private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
 
 /**
  * Gets the total number of data flow nodes that taint reaches (from any source).
+ *
+ * We don't include flow summary nodes, as their number is unstable (varies when models
+ * are added).
  */
-int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
+int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n) and not n instanceof FlowSummaryNode) }
 
 /**
  * Gets the proportion of data flow nodes that taint reaches (from any source),
  * expressed as a count per million nodes.
+ *
+ * We don't include flow summary nodes, as their number is unstable (varies when models
+ * are added).
  */
-float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }
+float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n |  not n instanceof FlowSummaryNode) }