Python: Deprecate old non-Query.qll dataflow defs

2026-05-05 05:35:13 +02:00 · 2022-03-21 15:02:36 +01:00
parent db86a18791
commit 695553ba9f
35 changed files with 111 additions and 302 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll
@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextLogging::Configuration` is needed, otherwise
- * `CleartextLoggingCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */

 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,9 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources

-/**
- * Provides a taint-tracking configuration for detecting "Clear-text logging of sensitive information".
- */
-module CleartextLogging {
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
+deprecated module CleartextLogging {
  import CleartextLoggingQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll
@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextStorage::Configuration` is needed, otherwise
- * `CleartextStorageCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */

 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,9 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources

-/**
- * Provides a taint-tracking configuration for detecting "Clear-text storage of sensitive information".
- */
-module CleartextStorage {
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */
+deprecated module CleartextStorage {
  import CleartextStorageQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll
@@ -1,25 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CodeInjection::Configuration` is needed, otherwise
- * `CodeInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- */
-module CodeInjection {
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
+deprecated module CodeInjection {
  import CodeInjectionQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
 deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll
@@ -1,25 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CommandInjection::Configuration` is needed, otherwise
- * `CommandInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- */
-module CommandInjection {
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
+deprecated module CommandInjection {
  import CommandInjectionQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CommandInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
 deprecated class CommandInjectionConfiguration = CommandInjection::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
@@ -1,10 +1,4 @@
-/**
- * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities
- *
- * Note, for performance reasons: only import this file if
- * `LdapInjection::Configuration` is needed, otherwise
- * `LdapInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */

 import python
 import semmle.python.Concepts
@@ -12,13 +6,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources

-/**
- * Provides aint-tracking configurations for detecting LDAP injection vulnerabilities.class
- *
- * Two configurations are provided. One is for detecting LDAP injection
- * via the distinguished name (DN). The other is for detecting LDAP injection
- * via the filter. These require different escapings.
- */
-module LdapInjection {
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */
+deprecated module LdapInjection {
  import LdapInjectionQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
@@ -1,18 +1,10 @@
-/**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
- *
- * Note, for performance reasons: only import this file if
- * `LogInjection::Configuration` is needed, otherwise
- * `LogInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `LogInjectionQuery` instead. */

 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
- */
-module LogInjection {
+/** DEPRECATED. Import `LogInjectionQuery` instead. */
+deprecated module LogInjection {
  import LogInjectionQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
@@ -1,20 +1,12 @@
-/**
- * Provides taint-tracking configurations for detecting "path injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `PathInjection::Configuration` is needed, otherwise
- * `PathInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `PathInjectionQuery` instead. */

 private import python
 private import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "path injection" vulnerabilities.
- */
-module PathInjection {
+/** DEPRECATED. Import `PathInjectionQuery` instead. */
+deprecated module PathInjection {
  import PathInjectionQuery // ignore-query-import
 }

@@ -30,7 +22,7 @@ import PathInjectionCustomizations::PathInjection
 // Case 1. The path is never normalized.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Configuration to find paths from sources to sinks that contain no normalization.
 */
@@ -53,7 +45,7 @@ deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configura
 }

 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Holds if there is a path injection from source to sink, where the (python) path is
 * not normalized.
@@ -66,7 +58,7 @@ deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sin
 // Case 2. The path is normalized at least once, but never checked afterwards.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Configuration to find paths from sources to normalizations that contain no prior normalizations.
 */
@@ -87,7 +79,7 @@ deprecated class FirstNormalizationConfiguration extends TaintTracking::Configur
 }

 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Configuration to find paths from normalizations to sinks that do not go through a check.
 */
@@ -108,7 +100,7 @@ deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::C
 }

 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Holds if there is a path injection from source to sink, where the (python) path is
 * normalized at least once, but never checked afterwards.
@@ -128,7 +120,7 @@ deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, Cus
 // Query: Either case 1 or case 2.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
 *
 * Holds if there is a path injection from source to sink
 */
--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll
@@ -1,18 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `PolynomialReDoS::Configuration` is needed, otherwise
- * `PolynomialReDoSCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
- */
-module PolynomialReDoS {
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
+deprecated module PolynomialReDoS {
  import PolynomialReDoSQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll
@@ -1,28 +1,16 @@
-/**
- * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `ReflectedXSS::Configuration` is needed, otherwise
- * `ReflectedXSSCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- */
-module ReflectedXss {
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
+deprecated module ReflectedXss {
  import ReflectedXSSQuery // ignore-query-import
 }

-/** DEPRECATED: Alias for ReflectedXss */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
 deprecated module ReflectedXSS = ReflectedXss;

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `ReflectedXSSCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
 deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll
@@ -1,20 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `RegexInjection::Configuration` is needed, otherwise
- * `RegexInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `RegexInjectionQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- */
-module RegexInjection {
+/** DEPRECATED. Import `RegexInjectionQuery` instead. */
+deprecated module RegexInjection {
  import RegexInjectionQuery // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll
@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `ServerSideRequestForgery::Configuration` is needed, otherwise
- * `ServerSideRequestForgeryCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
@@ -12,33 +6,19 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
 import ServerSideRequestForgeryQuery as ServerSideRequestForgeryQuery // ignore-query-import

-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
- * See `PartialServerSideRequestForgery` for a variant without this requirement.
- *
- * You should use the `partOfFullyControlledRequest` to only select results where all
- * URL parts are fully controlled.
- */
-module FullServerSideRequestForgery {
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated module FullServerSideRequestForgery {
  import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery

  class Configuration = ServerSideRequestForgeryQuery::FullServerSideRequestForgeryConfiguration;
 }

-/**
- * Holds if all URL parts of `request` is fully user controlled.
- */
-predicate fullyControlledRequest = ServerSideRequestForgeryQuery::fullyControlledRequest/1;
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated predicate fullyControlledRequest =
+  ServerSideRequestForgeryQuery::fullyControlledRequest/1;

-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has results, even when the attacker does not have full control over the URL.
- * See `FullServerSideRequestForgery` for variant that has this requirement.
- */
-module PartialServerSideRequestForgery {
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated module PartialServerSideRequestForgery {
  import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery

  class Configuration = ServerSideRequestForgeryQuery::PartialServerSideRequestForgeryConfiguration;
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll
@@ -1,28 +1,16 @@
-/**
- * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `SqlInjection::Configuration` is needed, otherwise
- * `SqlInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities.
- */
-module SqlInjection {
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
+deprecated module SqlInjection {
  import SqlInjectionQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `SqlInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
 deprecated class SqlInjectionConfiguration = SqlInjection::Configuration;

-/** DEPRECATED: Alias for SqlInjectionConfiguration */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
 deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration;
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll
@@ -1,25 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `StackTraceExposure::Configuration` is needed, otherwise
- * `StackTraceExposureCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- */
-module StackTraceExposure {
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
+deprecated module StackTraceExposure {
  import StackTraceExposureQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `StackTraceExposureCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
 deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll
@@ -1,25 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `UnsafeDeserialization::Configuration` is needed, otherwise
- * `UnsafeDeserializationCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
- */
-module UnsafeDeserialization {
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
+deprecated module UnsafeDeserialization {
  import UnsafeDeserializationQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `UnsafeDeserializationCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
 deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll
@@ -1,25 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `UrlRedirect::Configuration` is needed, otherwise
- * `UrlRedirectCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- */
-module UrlRedirect {
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */
+deprecated module UrlRedirect {
  import UrlRedirectQuery // ignore-query-import
 }

-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `UrlRedirectCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */
 deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration;
--- a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
@@ -1,11 +1,4 @@
-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hashing algorithm on sensitive data.
- *
- * Note, for performance reasons: only import this file if
- * `WeakSensitiveDataHashing::Configuration` is needed, otherwise
- * `WeakSensitiveDataHashingCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */

 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -15,22 +8,12 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources

-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hash function on sensitive data, that does NOT require a
- * computationally expensive hash function.
- */
-module NormalHashFunction {
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
+deprecated module NormalHashFunction {
  import WeakSensitiveDataHashingQuery::NormalHashFunction // ignore-query-import
 }

-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hashing algorithm on passwords.
- *
- * Passwords has stricter requirements on the hashing algorithm used (must be
- * computationally expensive to prevent brute-force attacks).
- */
-module ComputationallyExpensiveHashFunction {
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
+deprecated module ComputationallyExpensiveHashFunction {
  import WeakSensitiveDataHashingQuery::ComputationallyExpensiveHashFunction // ignore-query-import
 }
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll
@@ -1,18 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `XpathInjection::Configuration` is needed, otherwise
- * `XpathInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `XpathInjectionQuery` instead. */

 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- */
-module XpathInjection {
+/** DEPRECATED. Import `XpathInjectionQuery` instead. */
+deprecated module XpathInjection {
  import XpathInjectionQuery // ignore-query-import
 }
--- a/python/ql/src/Security/CWE-022/PathInjection.ql
+++ b/python/ql/src/Security/CWE-022/PathInjection.ql
@@ -17,10 +17,10 @@
 */

 import python
-import semmle.python.security.dataflow.PathInjection
+import semmle.python.security.dataflow.PathInjectionQuery
 import DataFlow::PathGraph

-from PathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
  "a user-provided value"
--- a/python/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/python/ql/src/Security/CWE-078/CommandInjection.ql
@@ -15,10 +15,10 @@
 */

 import python
-import semmle.python.security.dataflow.CommandInjection
+import semmle.python.security.dataflow.CommandInjectionQuery
 import DataFlow::PathGraph

-from CommandInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
  "a user-provided value"
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -14,10 +14,10 @@
 */

 import python
-import semmle.python.security.dataflow.ReflectedXSS
+import semmle.python.security.dataflow.ReflectedXSSQuery
 import DataFlow::PathGraph

-from ReflectedXss::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
  source.getNode(), "a user-provided value"
--- a/python/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/python/ql/src/Security/CWE-089/SqlInjection.ql
@@ -12,10 +12,10 @@
 */

 import python
-import semmle.python.security.dataflow.SqlInjection
+import semmle.python.security.dataflow.SqlInjectionQuery
 import DataFlow::PathGraph

-from SqlInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
  "a user-provided value"
--- a/python/ql/src/Security/CWE-090/LdapInjection.ql
+++ b/python/ql/src/Security/CWE-090/LdapInjection.ql
@@ -13,15 +13,15 @@

 // Determine precision above
 import python
-import semmle.python.security.dataflow.LdapInjection
+import semmle.python.security.dataflow.LdapInjectionQuery
 import DataFlow::PathGraph

 from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
 where
-  any(LdapInjection::DnConfiguration dnConfig).hasFlowPath(source, sink) and
+  any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
  parameterName = "DN"
  or
-  any(LdapInjection::FilterConfiguration filterConfig).hasFlowPath(source, sink) and
+  any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
  parameterName = "filter"
 select sink.getNode(), source, sink,
  "$@ LDAP query parameter (" + parameterName + ") comes from $@.", sink.getNode(), "This",
--- a/python/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/python/ql/src/Security/CWE-094/CodeInjection.ql
@@ -15,10 +15,10 @@
 */

 import python
-import semmle.python.security.dataflow.CodeInjection
+import semmle.python.security.dataflow.CodeInjectionQuery
 import DataFlow::PathGraph

-from CodeInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
  source.getNode(), "A user-provided value"
--- a/python/ql/src/Security/CWE-117/LogInjection.ql
+++ b/python/ql/src/Security/CWE-117/LogInjection.ql
@@ -12,10 +12,10 @@
 */

 import python
-import semmle.python.security.dataflow.LogInjection
+import semmle.python.security.dataflow.LogInjectionQuery
 import DataFlow::PathGraph

-from LogInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
  "User-provided value"
--- a/python/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -14,10 +14,10 @@
 */

 import python
-import semmle.python.security.dataflow.StackTraceExposure
+import semmle.python.security.dataflow.StackTraceExposureQuery
 import DataFlow::PathGraph

-from StackTraceExposure::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ may be exposed to an external user", source.getNode(),
  "Error information"
--- a/python/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -16,7 +16,7 @@
 import python
 private import semmle.python.dataflow.new.DataFlow
 import DataFlow::PathGraph
-import semmle.python.security.dataflow.CleartextLogging::CleartextLogging
+import semmle.python.security.dataflow.CleartextLoggingQuery

 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
 where
--- a/python/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/python/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -16,7 +16,7 @@
 import python
 private import semmle.python.dataflow.new.DataFlow
 import DataFlow::PathGraph
-import semmle.python.security.dataflow.CleartextStorage::CleartextStorage
+import semmle.python.security.dataflow.CleartextStorageQuery

 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
 where
--- a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -13,7 +13,7 @@
 */

 import python
-import semmle.python.security.dataflow.WeakSensitiveDataHashing
+import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import DataFlow::PathGraph
--- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -13,9 +13,9 @@
 */

 import python
-import semmle.python.security.dataflow.UnsafeDeserialization
+import semmle.python.security.dataflow.UnsafeDeserializationQuery
 import DataFlow::PathGraph

-from UnsafeDeserialization::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"
--- a/python/ql/src/Security/CWE-601/UrlRedirect.ql
+++ b/python/ql/src/Security/CWE-601/UrlRedirect.ql
@@ -13,10 +13,10 @@
 */

 import python
-import semmle.python.security.dataflow.UrlRedirect
+import semmle.python.security.dataflow.UrlRedirectQuery
 import DataFlow::PathGraph

-from UrlRedirect::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
  "A user-provided value"
--- a/python/ql/src/Security/CWE-643/XpathInjection.ql
+++ b/python/ql/src/Security/CWE-643/XpathInjection.ql
@@ -12,9 +12,9 @@
 */

 import python
-import semmle.python.security.dataflow.XpathInjection
+import semmle.python.security.dataflow.XpathInjectionQuery
 import DataFlow::PathGraph

-from XpathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"
--- a/python/ql/src/Security/CWE-730/PolynomialReDoS.ql
+++ b/python/ql/src/Security/CWE-730/PolynomialReDoS.ql
@@ -14,12 +14,12 @@

 import python
 import semmle.python.security.performance.SuperlinearBackTracking
-import semmle.python.security.dataflow.PolynomialReDoS
+import semmle.python.security.dataflow.PolynomialReDoSQuery
 import DataFlow::PathGraph

 from
-  PolynomialReDoS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  PolynomialReDoS::Sink sinkNode, PolynomialBackTrackingTerm regexp
+  Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
+  PolynomialBackTrackingTerm regexp
 where
  config.hasFlowPath(source, sink) and
  sinkNode = sink.getNode() and
--- a/python/ql/src/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/Security/CWE-730/RegexInjection.ql
@@ -14,15 +14,15 @@

 import python
 private import semmle.python.Concepts
-import semmle.python.security.dataflow.RegexInjection
+import semmle.python.security.dataflow.RegexInjectionQuery
 import DataFlow::PathGraph

 from
-  RegexInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
  RegexExecution regexExecution
 where
  config.hasFlowPath(source, sink) and
-  regexExecution = sink.getNode().(RegexInjection::Sink).getRegexExecution()
+  regexExecution = sink.getNode().(Sink).getRegexExecution()
 select sink.getNode(), source, sink,
  "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
  source.getNode(), "user-provided value", regexExecution, regexExecution.getName()
--- a/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
+++ b/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
@@ -11,14 +11,14 @@
 */

 import python
-import semmle.python.security.dataflow.ServerSideRequestForgery
+import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
 import DataFlow::PathGraph

 from
-  FullServerSideRequestForgery::Configuration fullConfig, DataFlow::PathNode source,
+  FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
  DataFlow::PathNode sink, HTTP::Client::Request request
 where
-  request = sink.getNode().(FullServerSideRequestForgery::Sink).getRequest() and
+  request = sink.getNode().(Sink).getRequest() and
  fullConfig.hasFlowPath(source, sink) and
  fullyControlledRequest(request)
 select request, source, sink, "The full URL of this request depends on $@.", source.getNode(),
--- a/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
+++ b/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
@@ -11,14 +11,14 @@
 */

 import python
-import semmle.python.security.dataflow.ServerSideRequestForgery
+import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
 import DataFlow::PathGraph

 from
-  PartialServerSideRequestForgery::Configuration partialConfig, DataFlow::PathNode source,
+  PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
  DataFlow::PathNode sink, HTTP::Client::Request request
 where
-  request = sink.getNode().(PartialServerSideRequestForgery::Sink).getRequest() and
+  request = sink.getNode().(Sink).getRequest() and
  partialConfig.hasFlowPath(source, sink) and
  not fullyControlledRequest(request)
 select request, source, sink, "Part of the URL of this request depends on $@.", source.getNode(),