Merge tag 'codeql-cli/latest'

Compatible with the latest released version of the CodeQL CLI

python/extractor/extending-the-parser.md

@@ -0,0 +1,94 @@
+# How to update the Python parser
+
+## Step 1: Add an extractor test
+
+Extractor parser tests live in the `tests/parser` directory. There are two different kinds of tests
+
+- Tests that compare the behavior of the old (Python-based) and new (`tree-sitter`-based) parsers, and verify that they yield the same output on the given source files, and
+- Tests that compare the output of the parser (old or new) against a fixed `.expected` file.
+
+What kind of test is run is determined based on the file name.
+If it ends in either `_new.py` or `_old.py`, then the test is run against an `.expected` file. If not, it is used to compare old against new.
+
+In most cases when adding new features, you'll only be interested in modifying the new parser (the old one is mostly there for legacy reasons).
+Thus, you will almost certainly want to create a test that ends in `_new.py`.
+
+It's a good habit to start by adding the parser test, as this makes it more easy to test when various bits of the parser have been added/modified successfully.
+
+The rest of this document will only concern itself with the process of extending the _new_ parser.
+
+To actually _run_ the tests, the easiest way is to use `pytest`.
+In the main `extractor` directory (i.e. where this file is located) run
+
+```sh
+pytest tests/test_parser.py
+```
+
+and wait for the tests to complete. It is normal and expected that the test seemingly freezes on the first run.
+This is simply because the `tsg-python` Rust binary is being built in the background.
+
+Once you have added a new test (or modified an old one) and start making modifications to the parser itself, it quickly becomes tedious to run _all_ the parser tests.
+To run just a single test using `pytest`, use the `::` syntax to specify specific tests.
+For instance, if you want to just run the tests associated with the file `types_new.py`, you would write
+
+```sh
+pytest tests/test_parser.py::ParserTest::test_types_new
+```
+
+## Step 2: Extend the `tree-sitter-python` grammar
+
+The new parser is based on `tree-sitter`, so the first task is to extend the existing `tree-sitter-python` grammar.
+This grammar can be found in the `grammar.js` file in the `tsg-python/tsp` subdirectory of the extractor directory.
+
+Note that whenever changes are made to `grammar.js`, you must regenerate the parser files by running
+
+```sh
+tree-sitter generate
+```
+
+inside the `tsp` directory.
+You'll need to install the `tree-sitter` CLI in order to run this command.
+One way to install it is to use `cargo`:
+
+```sh
+cargo install tree-sitter-cli
+```
+
+(This presupposes you have `cargo` available, but you'll need this anyway when compiling `tsg-python`.)
+
+Once the parser files have been regenerated, they'll get picked up automatically when `tsg-python` is rebuilt.
+
+> Pro-tip: When you're done with your parser changes, and go to commit these to a branch, put the autogenerated files in their own commit.
+> This makes it easier to review the changes, and if you need to go back and regenerate the files again, it's easy to modify just that commit.
+
+Once you have extended `grammar.js` and regenerated the parser files, you should be able to check that the grammar changes are sufficient by rerunning the parser test using `pytest`. If it fails while producing an AST that doesn't make sense, then you're probably on the right track. If it fails _without_ producing an AST, then something went wrong with the actual `tree-sitter` parse. To check if this is the case, you can run
+
+```sh
+tree-sitter parse path/to/test.py
+```
+
+and see what kind of errors are emitted (possibly as `ERROR` or `MISSING` nodes in the AST that is output).
+
+## Step 3: Extend `python.tsg`
+
+Once the grammar has been extended, we need to also tell `tsg-python` how to turn the `tree-sitter-python` AST into something that better matches the AST structure that we use in the Python extractor.
+
+For an introduction to the language of `tree-sitter-graph` (and in particular how we use it in the Python extractor), see the `README.md` file in the `tsg-python` directory.
+
+## Step 4: Extend the set of known AST nodes
+
+If you added new node types, or added fields to known node types, then you'll need to update a few files in the Python extractor before it is able to reconstruct the output from `tsg-python`.
+
+New AST nodes should be added in two places: `master.py` and `semmle/python/ast.py`. The former of these is used to automatically generate the Python dbscheme and `AstGenerated.qll`. The latter is what the parser actually uses as its internal representation of the AST.
+
+## Step 5: Rebuild the autogenerated AST and database scheme
+
+If you made changes to `master.py`, you'll need to regenerate a couple of files. This can be done from within the `extractor` directory using the `make dbscheme` and `make ast` commands. Note that for the latter, you need a copy of the CodeQL CLI present, as it is used to autoformat the `AstGenerated.qll` file.
+
+## Step 6: Add dbscheme upgrade and downgrade scripts
+
+If you ended up making changes to the database scheme inw step 5, then you'll need to add an appropriate pair of up- and downgrade scripts to handle any changes between the different versions of the dbscheme.
+
+This can be a bit fiddly, but luckily there are [tools](https://github.com/github/codeql/blob/main/misc/scripts/prepare-db-upgrade.sh) that can help set up some of the necessary files for you.
+
+See also the [guide](https://github.com/github/codeql/blob/main/docs/prepare-db-upgrade.md) for preparing database upgrades.

python/extractor/semmle/python/passes/pruner.py

@@ -196,6 +196,25 @@ class SkippedVisitor(ASTVisitor):
         if isinstance(node.value, ast.Name):
             self.nodes.add(node.value)
 
+class NotBooleanTestVisitor(ASTVisitor):
+    """Visitor that checks if a test is not a boolean test."""
+
+    def __init__(self):
+        self.nodes = set()
+
+    def visit_MatchLiteralPattern(self, node):
+        # MatchLiteralPatterns _look_ like boolean tests, but are not.
+        # Thus, without this check, we would interpret
+        #
+        # match x:
+        #    case False:
+        #        pass
+        #
+        # (and similarly for True) as if it was a boolean test. This would cause the true edge
+        # (leading to pass) to be pruned later on.
+        if isinstance(node.literal, ast.Name) and node.literal.id in ('True', 'False'):
+            self.nodes.add(node.literal)
+
 class NonlocalVisitor(ASTVisitor):
     def __init__(self):
         self.names = set()
@@ -306,6 +325,8 @@ def effective_constants_definitions(bool_const_defns, graph, branching_edges):
 def do_pruning(tree, graph):
     v = BoolConstVisitor()
     v.visit(tree)
+    not_boolean_test = NotBooleanTestVisitor()
+    not_boolean_test.visit(tree)
     nonlocals = NonlocalVisitor()
     nonlocals.visit(tree)
     global_vars = GlobalVisitor()
@@ -353,6 +374,8 @@ def do_pruning(tree, graph):
             b = const_value(pred.node)
             if b is None:
                 continue
+            if pred.node in not_boolean_test.nodes:
+                continue
             if b.contradicts(val):
                 to_be_removed.add((pred, succ))
         if not to_be_removed:

python/extractor/semmle/util.py

@@ -10,7 +10,7 @@ from io import BytesIO
 
 #Semantic version of extractor.
 #Update this if any changes are made
-VERSION = "7.1.1"
+VERSION = "7.1.2"
 
 PY_EXTENSIONS = ".py", ".pyw"
 

python/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 3.0.0
+
+### Breaking Changes
+
+* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
+
+### Bug Fixes
+
+- Fixed a problem with the control-flow graph construction, where writing `case True:` or `case False:` would cause parts of the graph to be pruned by mistake.
+
 ## 2.2.0
 
 ### Major Analysis Improvements

python/ql/lib/change-notes/released/3.0.0.md

@@ -0,0 +1,9 @@
+## 3.0.0
+
+### Breaking Changes
+
+* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
+
+### Bug Fixes
+
+- Fixed a problem with the control-flow graph construction, where writing `case True:` or `case False:` would cause parts of the graph to be pruned by mistake.

python/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.2.0
+lastReleaseVersion: 3.0.0

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 2.2.0
+version: 3.0.0
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/lib/semmle/python/dataflow/new/DataFlow.qll

@@ -25,5 +25,5 @@ module DataFlow {
   private import internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
   import DataFlowMake<Location, PythonDataFlow>
-  import internal.DataFlowImpl1
+  import Public
 }

python/ql/lib/semmle/python/dataflow/new/DataFlow2.qll

@@ -1,26 +0,0 @@
-/**
- * Provides a library for local (intra-procedural) and global (inter-procedural)
- * data flow analysis: deciding whether data can flow from a _source_ to a
- * _sink_.
- *
- * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing. To track these types of flow, where the
- * exact value may not be preserved, import
- * `semmle.python.dataflow.new.TaintTracking`.
- *
- * To use global (interprocedural) data flow, extend the class
- * `DataFlow::Configuration` as documented on that class. To use local
- * (intraprocedural) data flow, call `DataFlow::localFlow` or
- * `DataFlow::localFlowStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow2 {
-  import semmle.python.dataflow.new.internal.DataFlowImpl2
-}

python/ql/lib/semmle/python/dataflow/new/DataFlow3.qll

@@ -1,26 +0,0 @@
-/**
- * Provides a library for local (intra-procedural) and global (inter-procedural)
- * data flow analysis: deciding whether data can flow from a _source_ to a
- * _sink_.
- *
- * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing. To track these types of flow, where the
- * exact value may not be preserved, import
- * `semmle.python.dataflow.new.TaintTracking`.
- *
- * To use global (interprocedural) data flow, extend the class
- * `DataFlow::Configuration` as documented on that class. To use local
- * (intraprocedural) data flow, call `DataFlow::localFlow` or
- * `DataFlow::localFlowStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow3 {
-  import semmle.python.dataflow.new.internal.DataFlowImpl3
-}

python/ql/lib/semmle/python/dataflow/new/DataFlow4.qll

@@ -1,26 +0,0 @@
-/**
- * Provides a library for local (intra-procedural) and global (inter-procedural)
- * data flow analysis: deciding whether data can flow from a _source_ to a
- * _sink_.
- *
- * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing. To track these types of flow, where the
- * exact value may not be preserved, import
- * `semmle.python.dataflow.new.TaintTracking`.
- *
- * To use global (interprocedural) data flow, extend the class
- * `DataFlow::Configuration` as documented on that class. To use local
- * (intraprocedural) data flow, call `DataFlow::localFlow` or
- * `DataFlow::localFlowStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow4 {
-  import semmle.python.dataflow.new.internal.DataFlowImpl4
-}

python/ql/lib/semmle/python/dataflow/new/TaintTracking.qll

@@ -15,10 +15,9 @@ private import python
  * global (inter-procedural) taint-tracking analyses.
  */
 module TaintTracking {
-  import semmle.python.dataflow.new.internal.tainttracking1.TaintTrackingParameter::Public
+  import semmle.python.dataflow.new.internal.TaintTrackingPublic
   private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
   private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
   import TaintFlowMake<Location, PythonDataFlow, PythonTaintTracking>
-  import internal.tainttracking1.TaintTrackingImpl
 }

python/ql/lib/semmle/python/dataflow/new/TaintTracking2.qll

@@ -1,19 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- *
- * To use global (interprocedural) taint tracking, extend the class
- * `TaintTracking::Configuration` as documented on that class. To use local
- * (intraprocedural) taint tracking, call `TaintTracking::localTaint` or
- * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-module TaintTracking2 {
-  import semmle.python.dataflow.new.internal.tainttracking2.TaintTrackingImpl
-}

python/ql/lib/semmle/python/dataflow/new/TaintTracking3.qll

@@ -1,19 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- *
- * To use global (interprocedural) taint tracking, extend the class
- * `TaintTracking::Configuration` as documented on that class. To use local
- * (intraprocedural) taint tracking, call `TaintTracking::localTaint` or
- * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-module TaintTracking3 {
-  import semmle.python.dataflow.new.internal.tainttracking3.TaintTrackingImpl
-}

python/ql/lib/semmle/python/dataflow/new/TaintTracking4.qll

@@ -1,19 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- *
- * To use global (interprocedural) taint tracking, extend the class
- * `TaintTracking::Configuration` as documented on that class. To use local
- * (intraprocedural) taint tracking, call `TaintTracking::localTaint` or
- * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
- */
-
-private import python
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-module TaintTracking4 {
-  import semmle.python.dataflow.new.internal.tainttracking4.TaintTrackingImpl
-}

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,7 +0,0 @@
-import semmle.python.dataflow.new.internal.TaintTrackingPublic as Public
-
-module Private {
-  import semmle.python.dataflow.new.DataFlow::DataFlow as DataFlow
-  import semmle.python.dataflow.new.internal.DataFlowImpl as DataFlowInternal
-  import semmle.python.dataflow.new.internal.TaintTrackingPrivate
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,6 +0,0 @@
-import semmle.python.dataflow.new.internal.TaintTrackingPublic as Public
-
-module Private {
-  import semmle.python.dataflow.new.DataFlow2::DataFlow2 as DataFlow
-  import semmle.python.dataflow.new.internal.TaintTrackingPrivate
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingParameter.qll

@@ -1,6 +0,0 @@
-import semmle.python.dataflow.new.internal.TaintTrackingPublic as Public
-
-module Private {
-  import semmle.python.dataflow.new.DataFlow3::DataFlow3 as DataFlow
-  import semmle.python.dataflow.new.internal.TaintTrackingPrivate
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingParameter.qll

@@ -1,6 +0,0 @@
-import semmle.python.dataflow.new.internal.TaintTrackingPublic as Public
-
-module Private {
-  import semmle.python.dataflow.new.DataFlow4::DataFlow4 as DataFlow
-  import semmle.python.dataflow.new.internal.TaintTrackingPrivate
-}

python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll

@@ -15,25 +15,6 @@ private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextLoggingCustomizations::CleartextLogging
 
-/**
- * DEPRECATED: Use `CleartextLoggingFlow` module instead.
- *
- * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CleartextLogging" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node)
-    or
-    node instanceof Sanitizer
-  }
-}
-
 private module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll

@@ -15,25 +15,6 @@ private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextStorageCustomizations::CleartextStorage
 
-/**
- * DEPRECATED: Use `CleartextStorageFlow` module instead.
- *
- * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CleartextStorage" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node)
-    or
-    node instanceof Sanitizer
-  }
-}
-
 private module CleartextStorageConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import CodeInjectionCustomizations::CodeInjection
 
-/**
- * DEPRECATED: Use `CodeInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "code injection" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CodeInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 
-/**
- * DEPRECATED: Use `CommandInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "command injection" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CommandInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 /**
  * A taint-tracking configuration for detecting "command injection" vulnerabilities.
  */

python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll

@@ -13,22 +13,6 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 import LdapInjectionCustomizations::LdapInjection
 
-/**
- * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
- *
- * A taint-tracking configuration for detecting LDAP injection vulnerabilities
- * via the distinguished name (DN) parameter of an LDAP search.
- */
-deprecated class DnConfiguration extends TaintTracking::Configuration {
-  DnConfiguration() { this = "LdapDnInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
-}
-
 private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
@@ -40,22 +24,6 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
 /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
 module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
 
-/**
- * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
- *
- * A taint-tracking configuration for detecting LDAP injection vulnerabilities
- * via the filter parameter of an LDAP search.
- */
-deprecated class FilterConfiguration extends TaintTracking::Configuration {
-  FilterConfiguration() { this = "LdapFilterInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
-}
-
 private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import LogInjectionCustomizations::LogInjection
 
-/**
- * DEPRECATED: Use `LogInjectionFlow` module instead.
- *
- * A taint-tracking configuration for tracking untrusted user input used in log entries.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "LogInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll

@@ -11,35 +11,6 @@ import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
 import PamAuthorizationCustomizations::PamAuthorizationCustomizations
 
-/**
- * DEPRECATED: Use `PamAuthorizationFlow` module instead.
- *
- * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PamAuthorization" }
-
-  override predicate isSource(DataFlow::Node node) { node instanceof Source }
-
-  override predicate isSink(DataFlow::Node node) { node instanceof Sink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    // Models flow from a remotely supplied username field to a PAM `handle`.
-    // `retval = pam_start(service, username, byref(conv), byref(handle))`
-    exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
-      pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
-      pamStart = libPam().getMember("pam_start").getACall() and
-      pointer = pamStart.getArg(3) and
-      handle = pointer.getArg(0) and
-      pamStart.getArg(1) = node1 and
-      handle = node2
-    )
-    or
-    // Flow from handle to the authenticate call in the final step
-    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
-  }
-}
-
 private module PamAuthorizationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll

@@ -12,57 +12,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import PathInjectionCustomizations::PathInjection
 
-/**
- * DEPRECATED: Use `PathInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "path injection" vulnerabilities.
- *
- * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
- * to track the requirement that a file path must be first normalized and then checked
- * before it is safe to use.
- *
- * At sources, paths are assumed not normalized. At normalization points, they change
- * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
- * check of the prefix.
- *
- * Such checks are ineffective in the `NotNormalized` state.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PathInjection" }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    source instanceof Source and state instanceof NotNormalized
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    sink instanceof Sink and
-    (
-      state instanceof NotNormalized or
-      state instanceof NormalizedUnchecked
-    )
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-  override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) {
-    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
-    node instanceof Path::PathNormalization and
-    state instanceof NotNormalized
-    or
-    node instanceof Path::SafeAccessCheck and
-    state instanceof NormalizedUnchecked
-  }
-
-  override predicate isAdditionalTaintStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
-  ) {
-    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
-    stateFrom instanceof NotNormalized and
-    stateTo instanceof NormalizedUnchecked
-  }
-}
-
 abstract private class NormalizationState extends string {
   bindingset[this]
   NormalizationState() { any() }

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import PolynomialReDoSCustomizations::PolynomialReDoS
 
-/**
- * DEPRECATED: Use `PolynomialReDoSFlow` module instead.
- *
- * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PolynomialReDoS" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import ReflectedXSSCustomizations::ReflectedXss
 
-/**
- * DEPRECATED: Use `ReflectedXssFlow` module instead.
- *
- * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "ReflectedXSS" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll

@@ -12,21 +12,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import RegexInjectionCustomizations::RegexInjection
 
-/**
- * DEPRECATED: Use `RegexInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "RegexInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll

@@ -12,31 +12,6 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
 import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 
-/**
- * DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
- *
- * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
- * See `PartialServerSideRequestForgery` for a variant without this requirement.
- *
- * You should use the `fullyControlledRequest` to only select results where all
- * URL parts are fully controlled.
- */
-deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
-  FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer
-    or
-    node instanceof FullUrlControlSanitizer
-  }
-}
-
 /**
  * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
  * See `PartialServerSideRequestForgery` for a variant without this requirement.
@@ -73,24 +48,6 @@ predicate fullyControlledRequest(Http::Client::Request request) {
   )
 }
 
-/**
- * DEPRECATED: Use `PartialServerSideRequestForgeryFlow` module instead.
- *
- * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has results, even when the attacker does not have full control over the URL.
- * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
- */
-deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
-  PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 /**
  * This configuration has results, even when the attacker does not have full control over the URL.
  * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.

python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import SqlInjectionCustomizations::SqlInjection
 
-/**
- * DEPRECATED: Use `SqlInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "SqlInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll

@@ -11,30 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import StackTraceExposureCustomizations::StackTraceExposure
 
-/**
- * DEPRECATED: Use `StackTraceExposureFlow` module instead.
- *
- * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "StackTraceExposure" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
-  //  see https://docs.python.org/3/reference/datamodel.html#traceback-objects
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
-      nodeFrom = attr.getObject() and
-      nodeTo = attr
-    )
-  }
-}
-
 private module StackTraceExposureConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import TarSlipCustomizations::TarSlip
 
-/**
- * DEPRECATED: Use `TarSlipFlow` module instead.
- *
- * A taint-tracking configuration for detecting "tar slip" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "TarSlip" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module TarSlipConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import UnsafeDeserializationCustomizations::UnsafeDeserialization
 
-/**
- * DEPRECATED: Use `UnsafeDeserializationFlow` module instead.
- *
- * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeDeserialization" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll

@@ -13,29 +13,6 @@ private import semmle.python.dataflow.new.TaintTracking
 private import CommandInjectionCustomizations::CommandInjection as CommandInjection
 private import semmle.python.dataflow.new.BarrierGuards
 
-/**
- * DEPRECATED: Use `UnsafeShellCommandConstructionFlow` module instead.
- *
- * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeShellCommandConstruction" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer or
-    node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
-  }
-
-  // override to require the path doesn't have unmatched return steps
-  override DataFlow::FlowFeature getAFeature() {
-    result instanceof DataFlow::FeatureHasSourceCallContext
-  }
-}
-
 /**
  * A taint-tracking configuration for detecting "shell command constructed from library input" vulnerabilities.
  */

python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll

@@ -11,34 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import UrlRedirectCustomizations::UrlRedirect as UrlRedirect
 
-/**
- * DEPRECATED: Use `UrlRedirectFlow` module instead.
- *
- * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UrlRedirect" }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    source instanceof UrlRedirect::Source and state instanceof UrlRedirect::MayContainBackslashes
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    sink instanceof UrlRedirect::Sink and state instanceof UrlRedirect::FlowState
-  }
-
-  override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) {
-    node.(UrlRedirect::Sanitizer).sanitizes(state)
-  }
-
-  override predicate isAdditionalTaintStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
-  ) {
-    any(UrlRedirect::AdditionalFlowStep a).step(nodeFrom, stateFrom, nodeTo, stateTo)
-  }
-}
-
 private module UrlRedirectConfig implements DataFlow::StateConfigSig {
   class FlowState = UrlRedirect::FlowState;
 

python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll

@@ -23,30 +23,6 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 module NormalHashFunction {
   import WeakSensitiveDataHashingCustomizations::NormalHashFunction
 
-  /**
-   * DEPRECATED: Use `Flow` module instead.
-   *
-   * A taint-tracking configuration for detecting use of a broken or weak
-   * cryptographic hashing algorithm on sensitive data.
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "NormalHashFunction" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      sensitiveDataExtraStepForCalls(node1, node2)
-    }
-  }
-
   private module Config implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 
@@ -73,33 +49,6 @@ module NormalHashFunction {
 module ComputationallyExpensiveHashFunction {
   import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
 
-  /**
-   * DEPRECATED: Use `Flow` module instead.
-   *
-   * A taint-tracking configuration for detecting use of a broken or weak
-   * cryptographic hashing algorithm on passwords.
-   *
-   * Passwords has stricter requirements on the hashing algorithm used (must be
-   * computationally expensive to prevent brute-force attacks).
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "ComputationallyExpensiveHashFunction" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      sensitiveDataExtraStepForCalls(node1, node2)
-    }
-  }
-
   /**
    * Passwords has stricter requirements on the hashing algorithm used (must be
    * computationally expensive to prevent brute-force attacks).

python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll

@@ -11,24 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import XmlBombCustomizations::XmlBomb
 
-/**
- * DEPRECATED: Use `XmlBombFlow` module instead.
- *
- * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "XmlBomb" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-}
-
 private module XmlBombConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll

@@ -11,21 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import XpathInjectionCustomizations::XpathInjection
 
-/**
- * DEPRECATED: Use `XpathInjectionFlow` module instead.
- *
- * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "Xpath Injection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module XpathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll

@@ -11,24 +11,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import XxeCustomizations::Xxe
 
-/**
- * DEPRECATED: Use `XxeFlow` module instead.
- *
- * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "Xxe" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-}
-
 private module XxeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 

python/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.4
+
+No user-facing changes.
+
 ## 1.3.3
 
 No user-facing changes.

python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll

@@ -167,19 +167,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   }
 }
 
-/**
- * DEPRECATED: Use `XmlBombFlow` module instead.
- *
- * A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
- */
-deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
-  UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
-}
-
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 

python/ql/src/change-notes/released/1.3.4.md

@@ -0,0 +1,3 @@
+## 1.3.4
+
+No user-facing changes.

python/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.3
+lastReleaseVersion: 1.3.4

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.3.3
+version: 1.3.4
 groups:
   - python
   - queries

python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll

@@ -16,37 +16,6 @@ private import semmle.python.ApiGraphs
 module ModificationOfParameterWithDefault {
   import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault
 
-  /**
-   * DEPRECATED: Use `Flow` module instead.
-   *
-   * A data-flow configuration for detecting modifications of a parameters default value.
-   */
-  deprecated class Configuration extends DataFlow::Configuration {
-    /** Record whether the default value being tracked is non-empty. */
-    boolean nonEmptyDefault;
-
-    Configuration() {
-      nonEmptyDefault in [true, false] and
-      this = "ModificationOfParameterWithDefault:" + nonEmptyDefault.toString()
-    }
-
-    override predicate isSource(DataFlow::Node source) {
-      source.(Source).isNonEmpty() = nonEmptyDefault
-    }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isBarrier(DataFlow::Node node) {
-      // if we are tracking a non-empty default, then it is ok to modify empty values,
-      // so our tracking ends at those.
-      nonEmptyDefault = true and node instanceof MustBeEmpty
-      or
-      // if we are tracking a empty default, then it is ok to modify non-empty values,
-      // so our tracking ends at those.
-      nonEmptyDefault = false and node instanceof MustBeNonEmpty
-    }
-  }
-
   private module Config implements DataFlow::StateConfigSig {
     class FlowState = boolean;
 

python/ql/test/TestUtilities/dataflow/DataflowQueryTest.qll

@@ -103,15 +103,3 @@ module FromTaintTrackingStateConfig<DataFlow::StateConfigSig C> {
 
   import MakeQueryTest<Impl>
 }
-
-deprecated signature class LegacyConfiguration extends DataFlow::Configuration;
-
-deprecated module FromLegacyConfiguration<LegacyConfiguration C> {
-  module Impl implements QueryTestSig {
-    predicate isSink(DataFlow::Node sink) { any(C c).isSink(sink) or any(C c).isSink(sink, _) }
-
-    predicate flowTo(DataFlow::Node sink) { any(C c).hasFlowTo(sink) }
-  }
-
-  import MakeQueryTest<Impl>
-}

python/ql/test/experimental/import-resolution/importflow.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/experimental/import-resolution/imports.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.expected

@@ -1,5 +1,4 @@
 testFailures
-failures
 debug_callableNotUnique
 pointsTo_found_typeTracker_notFound
 typeTracker_found_pointsTo_notFound

python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.expected

@@ -1,5 +1,4 @@
 testFailures
-failures
 debug_callableNotUnique
 pointsTo_found_typeTracker_notFound
 typeTracker_found_pointsTo_notFound

python/ql/test/experimental/library-tests/CallGraph/InlineCallGraphTest.expected

@@ -1,5 +1,4 @@
 testFailures
-failures
 debug_callableNotUnique
 pointsTo_found_typeTracker_notFound
 | code/class_attr_assign.py:10:9:10:27 | ControlFlowNode for Attribute() | my_func |

python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected

@@ -5,4 +5,3 @@ untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 | taint_test.py:37:24:37:40 | taint_test.py:37 | ERROR, you should add `# $ MISSING: tainted` annotation | should_be_tainted |
 testFailures
 | taint_test.py:41:20:41:21 | ts | Fixed missing result: tainted |
-failures

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/ConceptsTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/DataflowQueryTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/experimental/query-tests/Security/CWE-409/DataflowQueryTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/ApiGraphs/py2/use.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/InlineExpectationsTest/missing-relevant-tag/Test.expected

@@ -1,4 +1,2 @@
-testFailures
 | test.py:1:1:1:3 | foo | Tag mismatch: Actual result with tag 'foo' that is not part of getARelevantTag() |
 | test.py:4:1:4:3 | foo | Tag mismatch: Actual result with tag 'foo' that is not part of getARelevantTag() |
-failures

python/ql/test/library-tests/dataflow/basic/localFlowStepTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/basic/maximalFlowTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/calls/DataFlowCallTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/coverage-py2/argumentRoutingTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/coverage-py3/argumentRoutingTest.expected

@@ -1,6 +1,4 @@
-testFailures
 | classes.py:54:44:54:107 | Comment #$ arg1="with_length_hint" func=With_length_hint.__length_hint__ | Missing result: arg1="with_length_hint" |
 | classes.py:54:44:54:107 | Comment #$ arg1="with_length_hint" func=With_length_hint.__length_hint__ | Missing result: func=With_length_hint.__length_hint__ |
 | classes.py:71:32:71:77 | Comment #$ arg1="with_index" func=With_index.__index__ | Missing result: arg1="with_index" |
 | classes.py:71:32:71:77 | Comment #$ arg1="with_index" func=With_index.__index__ | Missing result: func=With_index.__index__ |
-failures

python/ql/test/library-tests/dataflow/coverage/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/coverage/argumentRoutingTest.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/exceptions/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/fieldflow/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/fieldflow/UnresolvedCalls.expected

@@ -1,6 +1,4 @@
-testFailures
 | test.py:4:17:4:60 | ControlFlowNode for Attribute() | Unexpected result: unresolved_call=os.path.dirname(..) |
 | test.py:4:33:4:59 | ControlFlowNode for Attribute() | Unexpected result: unresolved_call=os.path.dirname(..) |
 | test_dict.py:4:17:4:60 | ControlFlowNode for Attribute() | Unexpected result: unresolved_call=os.path.dirname(..) |
 | test_dict.py:4:33:4:59 | ControlFlowNode for Attribute() | Unexpected result: unresolved_call=os.path.dirname(..) |
-failures

python/ql/test/library-tests/dataflow/global-flow/accesses.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/global-or-captured-vars/test.expected

@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+testFailures

python/ql/test/library-tests/dataflow/global-or-captured-vars/test.py

@@ -0,0 +1,118 @@
+import threading 
+import time
+
+# Test 1
+# TP - Flow is tracked through a global variable
+foo1 = None
+
+def bar1():
+    time.sleep(1)
+    ensure_tainted(foo1) # $tainted
+
+# The intent of these tests is to test how dataflow is handled through shared state accessed by different threads; 
+# but the presense or absense of the actual call to start a thread does not affect the results (there is no special modelling for Thread)
+# threading.Thread(target=bar).start() 
+
+foo1 = TAINTED_STRING
+
+# Test 2
+# FN - Flow is *not* tracked through an access path on a global variable
+foo2 = []
+
+def bar2():
+    time.sleep(1)
+    ensure_tainted(foo2[0]) # $MISSING:tainted
+
+threading.Thread(target=bar2).start()
+
+foo2.append(TAINTED_STRING)
+
+# Test 3
+# FN - Flow is not found even when there is a direct call
+foo3 = []
+
+def bar3():
+    time.sleep(1)
+    ensure_tainted(foo2[0]) # $MISSING:tainted
+
+foo3.append(TAINTED_STRING)
+bar3()
+
+# Tast 4
+# TP - Sanity check: Flow is found through a ListElement directly without a call
+foo4 = []
+foo4.append(TAINTED_STRING)
+ensure_tainted(foo4[0]) # $tainted
+
+# Test 5
+# FN - Flow is *not* tracked through a shared captured but non-global variable
+def test5():
+    foo5 = None 
+
+    def bar5():
+        time.sleep(1)
+        ensure_tainted(foo5) # $MISSING:tainted
+
+    threading.Thread(target=bar5).start() # Only the presense of this thread call makes this an FN rather than a TN
+
+    foo5 = TAINTED_STRING
+
+ # Test 6
+ # TP - Flow is tracked through a shared captured but non-global variable with a direct call
+def test6():
+    foo6 = []
+
+    def bar6():
+        time.sleep(1)
+        ensure_tainted(foo6[0]) # $tainted
+
+    foo6.append(TAINTED_STRING)
+    bar6()
+
+
+# Test 7
+# FN - Flow is *not* found through an access path on a global variable that's also used as a parameter
+# We'd like to cover this case in order to be able to cover this CVE: https://github.com/github/codeql-python-CVE-coverage/issues/3176
+
+foo7 = []
+
+def bar7():
+    time.sleep(1)
+    ensure_tainted(foo7[0]) # $MISSING: tainted
+
+def baz7(loc_foo):
+    loc_foo.append(TAINTED_STRING)
+
+threading.Thread(target=bar7).start()
+
+baz7(foo7)
+
+# Test 8
+# FN - Flow is also *not* found in the above case through a direct call 
+
+foo8 = []
+
+def bar8():
+    time.sleep(1)
+    ensure_tainted(foo8[0]) # $MISSING: tainted
+
+def baz8(loc_foo):
+    loc_foo.append(TAINTED_STRING)
+
+baz8(foo8)
+bar8()
+
+# Test 9
+# TP - Flow is found in the above case when the variable is captured rather than global
+
+def test9():
+    foo9 = []
+    def bar9():
+        time.sleep(1)
+        ensure_tainted(foo9[0]) # $tainted
+
+    def baz9(loc_foo):
+        loc_foo.append(TAINTED_STRING)
+
+    baz9(foo9)
+    bar9()

python/ql/test/library-tests/dataflow/global-or-captured-vars/test.ql

@@ -0,0 +1,3 @@
+import python
+import experimental.meta.InlineTaintTest
+import MakeInlineTaintTest<TestTaintTrackingConfig>

python/ql/test/library-tests/dataflow/match/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/module-initialization/localFlow.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/path-graph/PathNodes.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/sensitive-data/TestSensitiveDataSources.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/summaries/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/summaries/NormalTaintTrackingTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/commonSanitizer/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected

@@ -1,7 +1,6 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures
 isSanitizer
 | test.py:21:39:21:39 | ControlFlowNode for s |
 | test.py:34:39:34:39 | ControlFlowNode for s |

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/generator-flow/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/generator-flow/NormalDataflowTest.expected

@@ -1,3 +1,2 @@
 missingAnnotationOnSink
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/isinstance/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.expected

@@ -1,4 +1,3 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
 testFailures
-failures

python/ql/test/library-tests/dataflow/typetracking-summaries/tracked.expected

@@ -1,2 +0,0 @@
-testFailures
-failures

python/ql/test/library-tests/dataflow/typetracking/tracked.expected

@@ -1,2 +0,0 @@
-testFailures
-failures