diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
index 80de02d7067..6342a444a64 100644
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -124,7 +124,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
     source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
   }
 
-  override predicate isSink(Node sink) { sinkNode(sink, "create-file") }
+  override predicate isSink(Node sink) { sink instanceof FileCreationSink }
 
   override predicate isAdditionalTaintStep(Node n1, Node n2) {
     filePathStep(n1, n2) or fileTaintStep(n1, n2)
@@ -146,6 +146,13 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A sink that represents a file creation, such as a file write, copy or move operation.
+ */
+private class FileCreationSink extends DataFlow::Node {
+  FileCreationSink() { sinkNode(this, "create-file") }
+}
+
 from PathNode source, PathNode sink
 where any(ZipSlipConfiguration c).hasFlowPath(source, sink)
 select source.getNode(), source, sink,
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index e4ee42008a1..aef404aabd1 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -60,7 +60,15 @@ class BeanValidationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+}
+
+/**
+ * A bean validation sink, such as method `buildConstraintViolationWithTemplate`
+ * declared on a subtype of `javax.validation.ConstraintValidatorContext`.
+ */
+private class BeanValidationSink extends DataFlow::Node {
+  BeanValidationSink() { sinkNode(this, "bean-validation") }
 }
 
 from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index d1fe8aee075..0bf7a164826 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -50,7 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
     source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname-verifier") }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
 
   override predicate isBarrier(DataFlow::Node barrier) {
     // ignore nodes that are in functions that intentionally disable hostname verification
@@ -78,6 +78,13 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
   }
 }
 
+/**
+ * A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
+ */
+private class HostnameVerifierSink extends DataFlow::Node {
+  HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
+}
+
 bindingset[result]
 private string getAFlagName() {
   result
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index 9791eed203b..486e8053953 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -29,6 +29,7 @@ class XssAdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
+/** CSV sink models representing methods susceptible to XSS attacks. */
 private class DefaultXssSinkModel extends SinkModelCsv {
   override predicate row(string row) {
     row =