diff --git a/ql/lib/semmle/go/security/ExternalAPIs.qll b/ql/lib/semmle/go/security/ExternalAPIs.qll
index 3b7e96c1064..a1172a66f8d 100644
--- a/ql/lib/semmle/go/security/ExternalAPIs.qll
+++ b/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -74,7 +74,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
     // Not already modeled as a taint step
     not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
     // Not a call to a known safe external API
-    not call = any(SafeExternalAPIFunction f).getACall()
+    not call.getTarget() instanceof SafeExternalAPIFunction
   }
 
   /** Gets the called API `Function`. */
diff --git a/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll b/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
index c894afb4123..2cbb350461b 100644
--- a/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
+++ b/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
@@ -60,7 +60,7 @@ module InsecureRandomness {
         // Some interfaces in the `crypto` package are the same as interfaces
         // elsewhere, e.g. tls.listener is the same as net.Listener
         not fn.hasQualifiedName(nonCryptoInterface(), _) and
-        this = fn.getACall().getAnArgument()
+        exists(DataFlow::CallNode call | call.getTarget() = fn and this = call.getAnArgument())
       )
     }