Rust: Fix FPs in rust/hard-coded-cryptographic-value

[geoffw0]

Addresses a common source of false positive results in rust/hard-coded-cryptographic-value where arithmetic involves constants but the result is not constant. For example:

nonce += 1; // this is acceptable
encryption_routine(..., nonce);

[Copilot]

Pull request overview

This PR adjusts the Rust rust/hard-coded-cryptographic-value query’s dataflow configuration to reduce false positives when hard-coded constants are combined with non-constant data via arithmetic/bitwise operations (and +/+=-style string concatenation), and updates the associated tests and change note.

Changes:

• Add a new barrier for arithmetic/bitwise operations to stop “hard-coded” flow across these operations.
• Update the CWE-798 Rust query test to ensure arithmetic-with-variable no longer triggers alerts and to cover string append scenarios.
• Add a change note documenting the analysis behavior change.

Show a summary per file

File	Description
rust/ql/test/query-tests/security/CWE-798/test_heuristic.rs	Updates inline expectations to assert the FP fix and adds string append test cases.
rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected	Regenerates expected output reflecting the new barrier behavior/models.
rust/ql/src/change-notes/2026-06-25-hard-coded-cryptographic-value-arithmetic-barrier.md	Adds a change note for the query behavior change.
rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll	Introduces a new barrier node class for arithmetic/bitwise operations.

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 1

[geoffw0]

Change suggestions accepted. I will need to check the DCA run still.