diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
index 3e1c62b02c2..9672a830ce0 100644
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -27,10 +27,7 @@ predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperat
   )
 }
 
-predicate isSource(FlowSource source, string sourceType) {
-  not source instanceof DataFlow::ExprNode and
-  sourceType = source.getSourceType()
-}
+predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
 
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { isSource(node, _) }
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index 341f9f9c853..f4a716765b8 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -21,10 +21,7 @@ import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.ir.IR
 import Flow::PathGraph
 
-predicate isSource(FlowSource source, string sourceType) {
-  not source instanceof DataFlow::ExprNode and
-  sourceType = source.getSourceType()
-}
+predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
 
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { isSource(node, _) }
diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
index 5a107602a64..ada0180668e 100644
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -62,9 +62,7 @@ predicate hardCodedAddressInCondition(Expr subexpression, Expr condition) {
   condition = any(IfStmt ifStmt).getCondition()
 }
 
-predicate isSource(FS::FlowSource source, string sourceType) {
-  source.getSourceType() = sourceType and not source instanceof DataFlow::ExprNode
-}
+predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }
 
 predicate isSink(DataFlow::Node sink, Expr condition) {
   hardCodedAddressInCondition([sink.asExpr(), sink.asIndirectExpr()], condition)