diff --git a/java/ql/lib/change-notes/2025-09-02-kdf-api.md b/java/ql/lib/change-notes/2025-09-02-kdf-api.md
new file mode 100644
index 000000000000..db812e907780
--- /dev/null
+++ b/java/ql/lib/change-notes/2025-09-02-kdf-api.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow model for `java.crypto.KDF`.
\ No newline at end of file
diff --git a/java/ql/lib/ext/javax.crypto.model.yml b/java/ql/lib/ext/javax.crypto.model.yml
index 2b3bfc1abe85..0a2d43fce17f 100644
--- a/java/ql/lib/ext/javax.crypto.model.yml
+++ b/java/ql/lib/ext/javax.crypto.model.yml
@@ -7,6 +7,21 @@ extensions:
       - ["javax.crypto", "Cipher", True, "init", "(int,Key,AlgorithmParameterSpec,SecureRandom)", "", "Argument[2]", "encryption-iv", "manual"]
       - ["javax.crypto", "Cipher", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto", "CipherSpi", True, "engineUnwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["javax.crypto", "KDF", False, "getInstance", "(String)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", False, "getInstance", "(String,Provider)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", False, "getInstance", "(String,String)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,Provider)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,String)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
+      - ["javax.crypto", "KDF", True, "getAlgorithm", "()", "", "Argument[this].SyntheticField[javax.crypto.KDF.algorithm]", "ReturnValue", "value", "manual"]
+      - ["javax.crypto", "KDF", True, "getProvider", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto", "KDF", True, "deriveKey", "(String,AlgorithmParameterSpec)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto", "KDF", True, "deriveData", "(AlgorithmParameterSpec)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto", "SecretKey", True, "getEncoded", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
diff --git a/java/ql/lib/ext/javax.crypto.spec.model.yml b/java/ql/lib/ext/javax.crypto.spec.model.yml
index d2b7dbc99b8d..e670af7622ad 100644
--- a/java/ql/lib/ext/javax.crypto.spec.model.yml
+++ b/java/ql/lib/ext/javax.crypto.spec.model.yml
@@ -7,6 +7,20 @@ extensions:
       - ["javax.crypto.spec", "GCMParameterSpec", True, "GCMParameterSpec", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["javax.crypto.spec", "RC2ParameterSpec", True, "RC2ParameterSpec", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["javax.crypto.spec", "RC5ParameterSpec", True, "RC5ParameterSpec", "", "", "Argument[3]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(SecretKey)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(SecretKey)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addSalt", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addSalt", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addSalt", "(SecretKey)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addSalt", "(SecretKey)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "thenExpand", "(byte[],int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "thenExpand", "(byte[],int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec", False, "expandOnly", "(SecretKey,byte[],int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto.spec", "HKDFParameterSpec", False, "expandOnly", "(SecretKey,byte[],int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],int,int,String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: sinkModel
diff --git a/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected b/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
index b901340b9642..a56980d10ac4 100644
--- a/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
+++ b/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
@@ -16,30 +16,6 @@ methodWithDuplicate
 | AbstractCollection<E> | removeAll | Collection<?> |
 | AbstractCollection<E> | retainAll | Collection<?> |
 | AbstractCollection<E> | toArray | T[] |
-| AbstractCollection<Entry<K,V>> | add | Entry<K,V> |
-| AbstractCollection<Entry<K,V>> | addAll | Collection<? extends Entry<K,V>> |
-| AbstractCollection<Entry<K,V>> | contains | Object |
-| AbstractCollection<Entry<K,V>> | containsAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | remove | Object |
-| AbstractCollection<Entry<K,V>> | removeAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | retainAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | toArray | T[] |
-| AbstractCollection<K> | add | K |
-| AbstractCollection<K> | addAll | Collection<? extends K> |
-| AbstractCollection<K> | contains | Object |
-| AbstractCollection<K> | containsAll | Collection<?> |
-| AbstractCollection<K> | remove | Object |
-| AbstractCollection<K> | removeAll | Collection<?> |
-| AbstractCollection<K> | retainAll | Collection<?> |
-| AbstractCollection<K> | toArray | T[] |
-| AbstractCollection<Runnable> | add | Runnable |
-| AbstractCollection<Runnable> | addAll | Collection<? extends Runnable> |
-| AbstractCollection<Runnable> | contains | Object |
-| AbstractCollection<Runnable> | containsAll | Collection<?> |
-| AbstractCollection<Runnable> | remove | Object |
-| AbstractCollection<Runnable> | removeAll | Collection<?> |
-| AbstractCollection<Runnable> | retainAll | Collection<?> |
-| AbstractCollection<Runnable> | toArray | T[] |
 | AbstractCollection<String> | add | String |
 | AbstractCollection<String> | addAll | Collection<? extends String> |
 | AbstractCollection<String> | contains | Object |
@@ -56,14 +32,6 @@ methodWithDuplicate
 | AbstractCollection<T> | removeAll | Collection<?> |
 | AbstractCollection<T> | retainAll | Collection<?> |
 | AbstractCollection<T> | toArray | T[] |
-| AbstractCollection<V> | add | V |
-| AbstractCollection<V> | addAll | Collection<? extends V> |
-| AbstractCollection<V> | contains | Object |
-| AbstractCollection<V> | containsAll | Collection<?> |
-| AbstractCollection<V> | remove | Object |
-| AbstractCollection<V> | removeAll | Collection<?> |
-| AbstractCollection<V> | retainAll | Collection<?> |
-| AbstractCollection<V> | toArray | T[] |
 | AbstractList | add | E |
 | AbstractList | add | int |
 | AbstractList | addAll | Collection<? extends E> |
@@ -103,14 +71,14 @@ methodWithDuplicate
 | AbstractMap | put | V |
 | AbstractMap | putAll | Map<? extends K,? extends V> |
 | AbstractMap | remove | Object |
-| AbstractMap<Identity,Entry<?>> | containsKey | Object |
-| AbstractMap<Identity,Entry<?>> | containsValue | Object |
-| AbstractMap<Identity,Entry<?>> | equals | Object |
-| AbstractMap<Identity,Entry<?>> | get | Object |
-| AbstractMap<Identity,Entry<?>> | put | Entry<?> |
-| AbstractMap<Identity,Entry<?>> | put | Identity |
-| AbstractMap<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
-| AbstractMap<Identity,Entry<?>> | remove | Object |
+| AbstractMap<Identity,Object> | containsKey | Object |
+| AbstractMap<Identity,Object> | containsValue | Object |
+| AbstractMap<Identity,Object> | equals | Object |
+| AbstractMap<Identity,Object> | get | Object |
+| AbstractMap<Identity,Object> | put | Identity |
+| AbstractMap<Identity,Object> | put | Object |
+| AbstractMap<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
+| AbstractMap<Identity,Object> | remove | Object |
 | AbstractMap<K,V> | containsKey | Object |
 | AbstractMap<K,V> | containsValue | Object |
 | AbstractMap<K,V> | equals | Object |
@@ -179,17 +147,6 @@ methodWithDuplicate
 | Collection<K> | retainAll | Collection<?> |
 | Collection<K> | toArray | IntFunction<T[]> |
 | Collection<K> | toArray | T[] |
-| Collection<Runnable> | add | Runnable |
-| Collection<Runnable> | addAll | Collection<? extends Runnable> |
-| Collection<Runnable> | contains | Object |
-| Collection<Runnable> | containsAll | Collection<?> |
-| Collection<Runnable> | equals | Object |
-| Collection<Runnable> | remove | Object |
-| Collection<Runnable> | removeAll | Collection<?> |
-| Collection<Runnable> | removeIf | Predicate<? super Runnable> |
-| Collection<Runnable> | retainAll | Collection<?> |
-| Collection<Runnable> | toArray | IntFunction<T[]> |
-| Collection<Runnable> | toArray | T[] |
 | Collection<String> | add | String |
 | Collection<String> | addAll | Collection<? extends String> |
 | Collection<String> | contains | Object |
@@ -332,37 +289,36 @@ methodWithDuplicate
 | Map | replace | K |
 | Map | replace | V |
 | Map | replaceAll | BiFunction<? super K,? super V,? extends V> |
-| Map<Identity,Entry<?>> | compute | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | compute | Identity |
-| Map<Identity,Entry<?>> | computeIfAbsent | Function<? super Identity,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | computeIfAbsent | Identity |
-| Map<Identity,Entry<?>> | computeIfPresent | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | computeIfPresent | Identity |
-| Map<Identity,Entry<?>> | containsKey | Object |
-| Map<Identity,Entry<?>> | containsValue | Object |
-| Map<Identity,Entry<?>> | copyOf | Map<? extends K,? extends V> |
-| Map<Identity,Entry<?>> | entry | K |
-| Map<Identity,Entry<?>> | entry | V |
-| Map<Identity,Entry<?>> | equals | Object |
-| Map<Identity,Entry<?>> | forEach | BiConsumer<? super Identity,? super Entry<?>> |
-| Map<Identity,Entry<?>> | get | Object |
-| Map<Identity,Entry<?>> | getOrDefault | Entry<?> |
-| Map<Identity,Entry<?>> | getOrDefault | Object |
-| Map<Identity,Entry<?>> | merge | BiFunction<? super Entry<?>,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | merge | Entry<?> |
-| Map<Identity,Entry<?>> | merge | Identity |
-| Map<Identity,Entry<?>> | of | K |
-| Map<Identity,Entry<?>> | of | V |
-| Map<Identity,Entry<?>> | ofEntries | Entry<? extends K,? extends V>[] |
-| Map<Identity,Entry<?>> | put | Entry<?> |
-| Map<Identity,Entry<?>> | put | Identity |
-| Map<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | putIfAbsent | Entry<?> |
-| Map<Identity,Entry<?>> | putIfAbsent | Identity |
-| Map<Identity,Entry<?>> | remove | Object |
-| Map<Identity,Entry<?>> | replace | Entry<?> |
-| Map<Identity,Entry<?>> | replace | Identity |
-| Map<Identity,Entry<?>> | replaceAll | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
+| Map<Identity,Object> | compute | BiFunction<? super Identity,? super Object,? extends Object> |
+| Map<Identity,Object> | compute | Identity |
+| Map<Identity,Object> | computeIfAbsent | Function<? super Identity,? extends Object> |
+| Map<Identity,Object> | computeIfAbsent | Identity |
+| Map<Identity,Object> | computeIfPresent | BiFunction<? super Identity,? super Object,? extends Object> |
+| Map<Identity,Object> | computeIfPresent | Identity |
+| Map<Identity,Object> | containsKey | Object |
+| Map<Identity,Object> | containsValue | Object |
+| Map<Identity,Object> | copyOf | Map<? extends K,? extends V> |
+| Map<Identity,Object> | entry | K |
+| Map<Identity,Object> | entry | V |
+| Map<Identity,Object> | equals | Object |
+| Map<Identity,Object> | forEach | BiConsumer<? super Identity,? super Object> |
+| Map<Identity,Object> | get | Object |
+| Map<Identity,Object> | getOrDefault | Object |
+| Map<Identity,Object> | merge | BiFunction<? super Object,? super Object,? extends Object> |
+| Map<Identity,Object> | merge | Identity |
+| Map<Identity,Object> | merge | Object |
+| Map<Identity,Object> | of | K |
+| Map<Identity,Object> | of | V |
+| Map<Identity,Object> | ofEntries | Entry<? extends K,? extends V>[] |
+| Map<Identity,Object> | put | Identity |
+| Map<Identity,Object> | put | Object |
+| Map<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
+| Map<Identity,Object> | putIfAbsent | Identity |
+| Map<Identity,Object> | putIfAbsent | Object |
+| Map<Identity,Object> | remove | Object |
+| Map<Identity,Object> | replace | Identity |
+| Map<Identity,Object> | replace | Object |
+| Map<Identity,Object> | replaceAll | BiFunction<? super Identity,? super Object,? extends Object> |
 | Map<K,V> | compute | BiFunction<? super K,? super V,? extends V> |
 | Map<K,V> | compute | K |
 | Map<K,V> | computeIfAbsent | Function<? super K,? extends V> |
diff --git a/java/ql/test-kotlin1/library-tests/reflection/reflection.expected b/java/ql/test-kotlin1/library-tests/reflection/reflection.expected
index 7ce456cdcbb2..3bc2f9ce67d6 100644
--- a/java/ql/test-kotlin1/library-tests/reflection/reflection.expected
+++ b/java/ql/test-kotlin1/library-tests/reflection/reflection.expected
@@ -289,6 +289,7 @@ compGenerated
 | file://<external>/LongProgression.class:0:0:0:0 | spliterator | Forwarder for a Kotlin class inheriting an interface default method |
 | file://<external>/LongRange.class:0:0:0:0 | forEach | Forwarder for a Kotlin class inheriting an interface default method |
 | file://<external>/LongRange.class:0:0:0:0 | spliterator | Forwarder for a Kotlin class inheriting an interface default method |
+| file://<external>/String.class:0:0:0:0 | getChars | Forwarder for a Kotlin class inheriting an interface default method |
 | file://<external>/String.class:0:0:0:0 | isEmpty | Forwarder for a Kotlin class inheriting an interface default method |
 | reflection.kt:7:49:7:54 | new Function2<Ccc,Integer,Double>(...) { ... } | The class around a local function, a lambda, or a function reference |
 | reflection.kt:10:38:10:42 | new KProperty1<C,Integer>(...) { ... } | The class around a local function, a lambda, or a function reference |
diff --git a/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected b/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
index 03e86e2d2a18..2495c1fc1572 100644
--- a/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
+++ b/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
@@ -16,30 +16,6 @@ methodWithDuplicate
 | AbstractCollection<E> | removeAll | Collection<?> |
 | AbstractCollection<E> | retainAll | Collection<?> |
 | AbstractCollection<E> | toArray | T[] |
-| AbstractCollection<Entry<K,V>> | add | Entry<K,V> |
-| AbstractCollection<Entry<K,V>> | addAll | Collection<? extends Entry<K,V>> |
-| AbstractCollection<Entry<K,V>> | contains | Object |
-| AbstractCollection<Entry<K,V>> | containsAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | remove | Object |
-| AbstractCollection<Entry<K,V>> | removeAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | retainAll | Collection<?> |
-| AbstractCollection<Entry<K,V>> | toArray | T[] |
-| AbstractCollection<K> | add | K |
-| AbstractCollection<K> | addAll | Collection<? extends K> |
-| AbstractCollection<K> | contains | Object |
-| AbstractCollection<K> | containsAll | Collection<?> |
-| AbstractCollection<K> | remove | Object |
-| AbstractCollection<K> | removeAll | Collection<?> |
-| AbstractCollection<K> | retainAll | Collection<?> |
-| AbstractCollection<K> | toArray | T[] |
-| AbstractCollection<Runnable> | add | Runnable |
-| AbstractCollection<Runnable> | addAll | Collection<? extends Runnable> |
-| AbstractCollection<Runnable> | contains | Object |
-| AbstractCollection<Runnable> | containsAll | Collection<?> |
-| AbstractCollection<Runnable> | remove | Object |
-| AbstractCollection<Runnable> | removeAll | Collection<?> |
-| AbstractCollection<Runnable> | retainAll | Collection<?> |
-| AbstractCollection<Runnable> | toArray | T[] |
 | AbstractCollection<String> | add | String |
 | AbstractCollection<String> | addAll | Collection<? extends String> |
 | AbstractCollection<String> | contains | Object |
@@ -56,14 +32,6 @@ methodWithDuplicate
 | AbstractCollection<T> | removeAll | Collection<?> |
 | AbstractCollection<T> | retainAll | Collection<?> |
 | AbstractCollection<T> | toArray | T[] |
-| AbstractCollection<V> | add | V |
-| AbstractCollection<V> | addAll | Collection<? extends V> |
-| AbstractCollection<V> | contains | Object |
-| AbstractCollection<V> | containsAll | Collection<?> |
-| AbstractCollection<V> | remove | Object |
-| AbstractCollection<V> | removeAll | Collection<?> |
-| AbstractCollection<V> | retainAll | Collection<?> |
-| AbstractCollection<V> | toArray | T[] |
 | AbstractList | add | E |
 | AbstractList | add | int |
 | AbstractList | addAll | Collection<? extends E> |
@@ -103,14 +71,14 @@ methodWithDuplicate
 | AbstractMap | put | V |
 | AbstractMap | putAll | Map<? extends K,? extends V> |
 | AbstractMap | remove | Object |
-| AbstractMap<Identity,Entry<?>> | containsKey | Object |
-| AbstractMap<Identity,Entry<?>> | containsValue | Object |
-| AbstractMap<Identity,Entry<?>> | equals | Object |
-| AbstractMap<Identity,Entry<?>> | get | Object |
-| AbstractMap<Identity,Entry<?>> | put | Entry<?> |
-| AbstractMap<Identity,Entry<?>> | put | Identity |
-| AbstractMap<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
-| AbstractMap<Identity,Entry<?>> | remove | Object |
+| AbstractMap<Identity,Object> | containsKey | Object |
+| AbstractMap<Identity,Object> | containsValue | Object |
+| AbstractMap<Identity,Object> | equals | Object |
+| AbstractMap<Identity,Object> | get | Object |
+| AbstractMap<Identity,Object> | put | Identity |
+| AbstractMap<Identity,Object> | put | Object |
+| AbstractMap<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
+| AbstractMap<Identity,Object> | remove | Object |
 | AbstractMap<K,V> | containsKey | Object |
 | AbstractMap<K,V> | containsValue | Object |
 | AbstractMap<K,V> | equals | Object |
@@ -176,16 +144,6 @@ methodWithDuplicate
 | Collection<K> | retainAll | Collection<?> |
 | Collection<K> | toArray | IntFunction<T[]> |
 | Collection<K> | toArray | T[] |
-| Collection<Runnable> | add | Runnable |
-| Collection<Runnable> | addAll | Collection<? extends Runnable> |
-| Collection<Runnable> | contains | Object |
-| Collection<Runnable> | containsAll | Collection<?> |
-| Collection<Runnable> | remove | Object |
-| Collection<Runnable> | removeAll | Collection<?> |
-| Collection<Runnable> | removeIf | Predicate<? super Runnable> |
-| Collection<Runnable> | retainAll | Collection<?> |
-| Collection<Runnable> | toArray | IntFunction<T[]> |
-| Collection<Runnable> | toArray | T[] |
 | Collection<String> | add | String |
 | Collection<String> | addAll | Collection<? extends String> |
 | Collection<String> | contains | Object |
@@ -325,36 +283,35 @@ methodWithDuplicate
 | Map | replace | K |
 | Map | replace | V |
 | Map | replaceAll | BiFunction<? super K,? super V,? extends V> |
-| Map<Identity,Entry<?>> | compute | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | compute | Identity |
-| Map<Identity,Entry<?>> | computeIfAbsent | Function<? super Identity,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | computeIfAbsent | Identity |
-| Map<Identity,Entry<?>> | computeIfPresent | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | computeIfPresent | Identity |
-| Map<Identity,Entry<?>> | containsKey | Object |
-| Map<Identity,Entry<?>> | containsValue | Object |
-| Map<Identity,Entry<?>> | copyOf | Map<? extends K,? extends V> |
-| Map<Identity,Entry<?>> | entry | K |
-| Map<Identity,Entry<?>> | entry | V |
-| Map<Identity,Entry<?>> | forEach | BiConsumer<? super Identity,? super Entry<?>> |
-| Map<Identity,Entry<?>> | get | Object |
-| Map<Identity,Entry<?>> | getOrDefault | Entry<?> |
-| Map<Identity,Entry<?>> | getOrDefault | Object |
-| Map<Identity,Entry<?>> | merge | BiFunction<? super Entry<?>,? super Entry<?>,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | merge | Entry<?> |
-| Map<Identity,Entry<?>> | merge | Identity |
-| Map<Identity,Entry<?>> | of | K |
-| Map<Identity,Entry<?>> | of | V |
-| Map<Identity,Entry<?>> | ofEntries | Entry<? extends K,? extends V>[] |
-| Map<Identity,Entry<?>> | put | Entry<?> |
-| Map<Identity,Entry<?>> | put | Identity |
-| Map<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
-| Map<Identity,Entry<?>> | putIfAbsent | Entry<?> |
-| Map<Identity,Entry<?>> | putIfAbsent | Identity |
-| Map<Identity,Entry<?>> | remove | Object |
-| Map<Identity,Entry<?>> | replace | Entry<?> |
-| Map<Identity,Entry<?>> | replace | Identity |
-| Map<Identity,Entry<?>> | replaceAll | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
+| Map<Identity,Object> | compute | BiFunction<? super Identity,? super Object,? extends Object> |
+| Map<Identity,Object> | compute | Identity |
+| Map<Identity,Object> | computeIfAbsent | Function<? super Identity,? extends Object> |
+| Map<Identity,Object> | computeIfAbsent | Identity |
+| Map<Identity,Object> | computeIfPresent | BiFunction<? super Identity,? super Object,? extends Object> |
+| Map<Identity,Object> | computeIfPresent | Identity |
+| Map<Identity,Object> | containsKey | Object |
+| Map<Identity,Object> | containsValue | Object |
+| Map<Identity,Object> | copyOf | Map<? extends K,? extends V> |
+| Map<Identity,Object> | entry | K |
+| Map<Identity,Object> | entry | V |
+| Map<Identity,Object> | forEach | BiConsumer<? super Identity,? super Object> |
+| Map<Identity,Object> | get | Object |
+| Map<Identity,Object> | getOrDefault | Object |
+| Map<Identity,Object> | merge | BiFunction<? super Object,? super Object,? extends Object> |
+| Map<Identity,Object> | merge | Identity |
+| Map<Identity,Object> | merge | Object |
+| Map<Identity,Object> | of | K |
+| Map<Identity,Object> | of | V |
+| Map<Identity,Object> | ofEntries | Entry<? extends K,? extends V>[] |
+| Map<Identity,Object> | put | Identity |
+| Map<Identity,Object> | put | Object |
+| Map<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
+| Map<Identity,Object> | putIfAbsent | Identity |
+| Map<Identity,Object> | putIfAbsent | Object |
+| Map<Identity,Object> | remove | Object |
+| Map<Identity,Object> | replace | Identity |
+| Map<Identity,Object> | replace | Object |
+| Map<Identity,Object> | replaceAll | BiFunction<? super Identity,? super Object,? extends Object> |
 | Map<K,V> | compute | BiFunction<? super K,? super V,? extends V> |
 | Map<K,V> | compute | K |
 | Map<K,V> | computeIfAbsent | Function<? super K,? extends V> |
diff --git a/java/ql/test-kotlin2/library-tests/reflection/reflection.expected b/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
index 4074866da65f..b5de2b1adea3 100644
--- a/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
+++ b/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
@@ -329,6 +329,7 @@ compGenerated
 | file://<external>/SignStyle.class:0:0:0:0 | getEntries | Default property accessor |
 | file://<external>/StackWalker$ExtendedOption.class:0:0:0:0 | getEntries | Default property accessor |
 | file://<external>/StackWalker$Option.class:0:0:0:0 | getEntries | Default property accessor |
+| file://<external>/String.class:0:0:0:0 | getChars | Forwarder for a Kotlin class inheriting an interface default method |
 | file://<external>/String.class:0:0:0:0 | isEmpty | Forwarder for a Kotlin class inheriting an interface default method |
 | file://<external>/TextStyle.class:0:0:0:0 | getEntries | Default property accessor |
 | file://<external>/Thread$State.class:0:0:0:0 | getEntries | Default property accessor |
diff --git a/java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java b/java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java
new file mode 100644
index 000000000000..984cdd702a2b
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java
@@ -0,0 +1,74 @@
+import javax.crypto.KDF;
+import javax.crypto.spec.HKDFParameterSpec;
+
+public class KDFDataflowTest {
+    public static String source(String label) {
+        return "tainted";
+    }
+
+    public static void sink(Object o) {}
+
+    public static void main(String[] args) throws Exception {
+        String userInput = source("");
+        byte[] taintedBytes = userInput.getBytes();
+
+        testBuilderPattern(taintedBytes);
+        testSeparateBuilder(taintedBytes);
+        testKDFWithSalt(taintedBytes);
+        testStaticParameterSpec(taintedBytes);
+        testCleanUsage();
+    }
+
+    public static void testBuilderPattern(byte[] taintedIKM) throws Exception {
+        HKDFParameterSpec.Builder builder = HKDFParameterSpec.ofExtract();
+        builder.addIKM(taintedIKM);
+        HKDFParameterSpec spec = builder.thenExpand("info".getBytes(), 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] result = kdf.deriveData(spec);
+        sink(result); // $ hasTaintFlow
+    }
+
+    public static void testSeparateBuilder(byte[] taintedIKM) throws Exception {
+        HKDFParameterSpec.Builder builder1 = HKDFParameterSpec.ofExtract();
+        HKDFParameterSpec.Builder builder2 = builder1.addIKM(taintedIKM);
+        HKDFParameterSpec spec = builder2.thenExpand("info".getBytes(), 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] result = kdf.deriveData(spec);
+        sink(result); // $ hasTaintFlow
+    }
+
+    public static void testKDFWithSalt(byte[] taintedIKM) throws Exception {
+        HKDFParameterSpec.Builder builder = HKDFParameterSpec.ofExtract();
+        builder.addIKM(taintedIKM);
+        builder.addSalt("sensitive-salt".getBytes());
+        HKDFParameterSpec spec = builder.thenExpand("info".getBytes(), 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] result = kdf.deriveData(spec);
+        sink(result); // $ hasTaintFlow
+    }
+
+    public static void testStaticParameterSpec(byte[] taintedIKM) throws Exception {
+        javax.crypto.spec.SecretKeySpec secretKey = new javax.crypto.spec.SecretKeySpec(taintedIKM, "AES");
+        HKDFParameterSpec spec = HKDFParameterSpec.expandOnly(
+            secretKey, "info".getBytes(), 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] result = kdf.deriveData(spec);
+        sink(result); // $ hasTaintFlow
+    }
+
+    public static void testCleanUsage() throws Exception {
+        byte[] cleanKeyMaterial = "static-key-material".getBytes();
+
+        HKDFParameterSpec.Builder builder = HKDFParameterSpec.ofExtract();
+        builder.addIKM(cleanKeyMaterial);
+        HKDFParameterSpec spec = builder.thenExpand("info".getBytes(), 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] cleanResult = kdf.deriveData(spec);
+        sink(cleanResult); // Safe - no taint
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/dataflow/kdf/options b/java/ql/test/library-tests/dataflow/kdf/options
new file mode 100644
index 000000000000..f4edc64c0178
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/kdf/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args --enable-preview --release 25
\ No newline at end of file
diff --git a/java/ql/test/library-tests/dataflow/kdf/test.expected b/java/ql/test/library-tests/dataflow/kdf/test.expected
new file mode 100644
index 000000000000..f2e5841b7f38
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/kdf/test.expected
@@ -0,0 +1,89 @@
+models
+| 1 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
+| 2 | Summary: javax.crypto.spec; HKDFParameterSpec$Builder; true; addIKM; (byte[]); ; Argument[0]; Argument[this]; taint; manual |
+| 3 | Summary: javax.crypto.spec; HKDFParameterSpec$Builder; true; addIKM; (byte[]); ; Argument[this]; ReturnValue; value; manual |
+| 4 | Summary: javax.crypto.spec; HKDFParameterSpec$Builder; true; thenExpand; (byte[],int); ; Argument[this]; ReturnValue; taint; manual |
+| 5 | Summary: javax.crypto.spec; HKDFParameterSpec; false; expandOnly; (SecretKey,byte[],int); ; Argument[0]; ReturnValue; taint; manual |
+| 6 | Summary: javax.crypto.spec; SecretKeySpec; false; SecretKeySpec; (byte[],String); ; Argument[0]; Argument[this]; taint; manual |
+| 7 | Summary: javax.crypto; KDF; true; deriveData; (AlgorithmParameterSpec); ; Argument[0]; ReturnValue; taint; manual |
+edges
+| KDFDataflowTest.java:12:28:12:37 | source(...) : String | KDFDataflowTest.java:13:31:13:39 | userInput : String | provenance |  |
+| KDFDataflowTest.java:13:31:13:39 | userInput : String | KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | provenance | MaD:1 |
+| KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | KDFDataflowTest.java:15:28:15:39 | taintedBytes : byte[] | provenance |  |
+| KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | KDFDataflowTest.java:16:29:16:40 | taintedBytes : byte[] | provenance |  |
+| KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | KDFDataflowTest.java:17:25:17:36 | taintedBytes : byte[] | provenance |  |
+| KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | KDFDataflowTest.java:18:33:18:44 | taintedBytes : byte[] | provenance |  |
+| KDFDataflowTest.java:15:28:15:39 | taintedBytes : byte[] | KDFDataflowTest.java:22:43:22:59 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:16:29:16:40 | taintedBytes : byte[] | KDFDataflowTest.java:32:44:32:60 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:17:25:17:36 | taintedBytes : byte[] | KDFDataflowTest.java:42:40:42:56 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:18:33:18:44 | taintedBytes : byte[] | KDFDataflowTest.java:53:48:53:64 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:22:43:22:59 | taintedIKM : byte[] | KDFDataflowTest.java:24:24:24:33 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:24:9:24:15 | builder [post update] : Builder | KDFDataflowTest.java:25:34:25:40 | builder : Builder | provenance |  |
+| KDFDataflowTest.java:24:24:24:33 | taintedIKM : byte[] | KDFDataflowTest.java:24:9:24:15 | builder [post update] : Builder | provenance | MaD:2 |
+| KDFDataflowTest.java:25:34:25:40 | builder : Builder | KDFDataflowTest.java:25:34:25:74 | thenExpand(...) : ExtractThenExpand | provenance | MaD:4 |
+| KDFDataflowTest.java:25:34:25:74 | thenExpand(...) : ExtractThenExpand | KDFDataflowTest.java:28:40:28:43 | spec : ExtractThenExpand | provenance |  |
+| KDFDataflowTest.java:28:25:28:44 | deriveData(...) : byte[] | KDFDataflowTest.java:29:14:29:19 | result | provenance |  |
+| KDFDataflowTest.java:28:40:28:43 | spec : ExtractThenExpand | KDFDataflowTest.java:28:25:28:44 | deriveData(...) : byte[] | provenance | MaD:7 |
+| KDFDataflowTest.java:32:44:32:60 | taintedIKM : byte[] | KDFDataflowTest.java:34:62:34:71 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:34:46:34:72 | addIKM(...) : Builder | KDFDataflowTest.java:35:34:35:41 | builder2 : Builder | provenance |  |
+| KDFDataflowTest.java:34:62:34:71 | taintedIKM : byte[] | KDFDataflowTest.java:34:46:34:72 | addIKM(...) : Builder | provenance | MaD:2+MaD:3 |
+| KDFDataflowTest.java:35:34:35:41 | builder2 : Builder | KDFDataflowTest.java:35:34:35:75 | thenExpand(...) : ExtractThenExpand | provenance | MaD:4 |
+| KDFDataflowTest.java:35:34:35:75 | thenExpand(...) : ExtractThenExpand | KDFDataflowTest.java:38:40:38:43 | spec : ExtractThenExpand | provenance |  |
+| KDFDataflowTest.java:38:25:38:44 | deriveData(...) : byte[] | KDFDataflowTest.java:39:14:39:19 | result | provenance |  |
+| KDFDataflowTest.java:38:40:38:43 | spec : ExtractThenExpand | KDFDataflowTest.java:38:25:38:44 | deriveData(...) : byte[] | provenance | MaD:7 |
+| KDFDataflowTest.java:42:40:42:56 | taintedIKM : byte[] | KDFDataflowTest.java:44:24:44:33 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:44:9:44:15 | builder [post update] : Builder | KDFDataflowTest.java:46:34:46:40 | builder : Builder | provenance |  |
+| KDFDataflowTest.java:44:24:44:33 | taintedIKM : byte[] | KDFDataflowTest.java:44:9:44:15 | builder [post update] : Builder | provenance | MaD:2 |
+| KDFDataflowTest.java:46:34:46:40 | builder : Builder | KDFDataflowTest.java:46:34:46:74 | thenExpand(...) : ExtractThenExpand | provenance | MaD:4 |
+| KDFDataflowTest.java:46:34:46:74 | thenExpand(...) : ExtractThenExpand | KDFDataflowTest.java:49:40:49:43 | spec : ExtractThenExpand | provenance |  |
+| KDFDataflowTest.java:49:25:49:44 | deriveData(...) : byte[] | KDFDataflowTest.java:50:14:50:19 | result | provenance |  |
+| KDFDataflowTest.java:49:40:49:43 | spec : ExtractThenExpand | KDFDataflowTest.java:49:25:49:44 | deriveData(...) : byte[] | provenance | MaD:7 |
+| KDFDataflowTest.java:53:48:53:64 | taintedIKM : byte[] | KDFDataflowTest.java:54:89:54:98 | taintedIKM : byte[] | provenance |  |
+| KDFDataflowTest.java:54:53:54:106 | new SecretKeySpec(...) : SecretKeySpec | KDFDataflowTest.java:56:13:56:21 | secretKey : SecretKeySpec | provenance |  |
+| KDFDataflowTest.java:54:89:54:98 | taintedIKM : byte[] | KDFDataflowTest.java:54:53:54:106 | new SecretKeySpec(...) : SecretKeySpec | provenance | MaD:6 |
+| KDFDataflowTest.java:55:34:56:45 | expandOnly(...) : Expand | KDFDataflowTest.java:59:40:59:43 | spec : Expand | provenance |  |
+| KDFDataflowTest.java:56:13:56:21 | secretKey : SecretKeySpec | KDFDataflowTest.java:55:34:56:45 | expandOnly(...) : Expand | provenance | MaD:5 |
+| KDFDataflowTest.java:59:25:59:44 | deriveData(...) : byte[] | KDFDataflowTest.java:60:14:60:19 | result | provenance |  |
+| KDFDataflowTest.java:59:40:59:43 | spec : Expand | KDFDataflowTest.java:59:25:59:44 | deriveData(...) : byte[] | provenance | MaD:7 |
+nodes
+| KDFDataflowTest.java:12:28:12:37 | source(...) : String | semmle.label | source(...) : String |
+| KDFDataflowTest.java:13:31:13:39 | userInput : String | semmle.label | userInput : String |
+| KDFDataflowTest.java:13:31:13:50 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
+| KDFDataflowTest.java:15:28:15:39 | taintedBytes : byte[] | semmle.label | taintedBytes : byte[] |
+| KDFDataflowTest.java:16:29:16:40 | taintedBytes : byte[] | semmle.label | taintedBytes : byte[] |
+| KDFDataflowTest.java:17:25:17:36 | taintedBytes : byte[] | semmle.label | taintedBytes : byte[] |
+| KDFDataflowTest.java:18:33:18:44 | taintedBytes : byte[] | semmle.label | taintedBytes : byte[] |
+| KDFDataflowTest.java:22:43:22:59 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:24:9:24:15 | builder [post update] : Builder | semmle.label | builder [post update] : Builder |
+| KDFDataflowTest.java:24:24:24:33 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:25:34:25:40 | builder : Builder | semmle.label | builder : Builder |
+| KDFDataflowTest.java:25:34:25:74 | thenExpand(...) : ExtractThenExpand | semmle.label | thenExpand(...) : ExtractThenExpand |
+| KDFDataflowTest.java:28:25:28:44 | deriveData(...) : byte[] | semmle.label | deriveData(...) : byte[] |
+| KDFDataflowTest.java:28:40:28:43 | spec : ExtractThenExpand | semmle.label | spec : ExtractThenExpand |
+| KDFDataflowTest.java:29:14:29:19 | result | semmle.label | result |
+| KDFDataflowTest.java:32:44:32:60 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:34:46:34:72 | addIKM(...) : Builder | semmle.label | addIKM(...) : Builder |
+| KDFDataflowTest.java:34:62:34:71 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:35:34:35:41 | builder2 : Builder | semmle.label | builder2 : Builder |
+| KDFDataflowTest.java:35:34:35:75 | thenExpand(...) : ExtractThenExpand | semmle.label | thenExpand(...) : ExtractThenExpand |
+| KDFDataflowTest.java:38:25:38:44 | deriveData(...) : byte[] | semmle.label | deriveData(...) : byte[] |
+| KDFDataflowTest.java:38:40:38:43 | spec : ExtractThenExpand | semmle.label | spec : ExtractThenExpand |
+| KDFDataflowTest.java:39:14:39:19 | result | semmle.label | result |
+| KDFDataflowTest.java:42:40:42:56 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:44:9:44:15 | builder [post update] : Builder | semmle.label | builder [post update] : Builder |
+| KDFDataflowTest.java:44:24:44:33 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:46:34:46:40 | builder : Builder | semmle.label | builder : Builder |
+| KDFDataflowTest.java:46:34:46:74 | thenExpand(...) : ExtractThenExpand | semmle.label | thenExpand(...) : ExtractThenExpand |
+| KDFDataflowTest.java:49:25:49:44 | deriveData(...) : byte[] | semmle.label | deriveData(...) : byte[] |
+| KDFDataflowTest.java:49:40:49:43 | spec : ExtractThenExpand | semmle.label | spec : ExtractThenExpand |
+| KDFDataflowTest.java:50:14:50:19 | result | semmle.label | result |
+| KDFDataflowTest.java:53:48:53:64 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:54:53:54:106 | new SecretKeySpec(...) : SecretKeySpec | semmle.label | new SecretKeySpec(...) : SecretKeySpec |
+| KDFDataflowTest.java:54:89:54:98 | taintedIKM : byte[] | semmle.label | taintedIKM : byte[] |
+| KDFDataflowTest.java:55:34:56:45 | expandOnly(...) : Expand | semmle.label | expandOnly(...) : Expand |
+| KDFDataflowTest.java:56:13:56:21 | secretKey : SecretKeySpec | semmle.label | secretKey : SecretKeySpec |
+| KDFDataflowTest.java:59:25:59:44 | deriveData(...) : byte[] | semmle.label | deriveData(...) : byte[] |
+| KDFDataflowTest.java:59:40:59:43 | spec : Expand | semmle.label | spec : Expand |
+| KDFDataflowTest.java:60:14:60:19 | result | semmle.label | result |
+subpaths
+testFailures
diff --git a/java/ql/test/library-tests/dataflow/kdf/test.ql b/java/ql/test/library-tests/dataflow/kdf/test.ql
new file mode 100644
index 000000000000..b2ffe7d9a679
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/kdf/test.ql
@@ -0,0 +1,3 @@
+import utils.test.InlineFlowTest
+import TaintFlowTest<DefaultFlowConfig>
+import TaintFlow::PathGraph