Merge branch 'master' into python-cwe-312

2026-05-03 04:39:29 +02:00 · 2019-08-30 10:30:51 +01:00
parent 4f172bd075 4f26b58a1a
commit 811815aa4e
135 changed files with 12128 additions and 2591 deletions
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.expected
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.expected
@@ -0,0 +1,93 @@
+edges
+| carrier.py:17:9:17:31 | .attr = simple.test | carrier.py:18:10:18:10 | .attr = simple.test |
+| carrier.py:17:25:17:30 | simple.test | carrier.py:17:9:17:31 | .attr = simple.test |
+| carrier.py:18:10:18:10 | .attr = simple.test | carrier.py:18:10:18:15 | simple.test |
+| carrier.py:21:9:21:28 | explicit.carrier | carrier.py:22:10:22:10 | explicit.carrier |
+| carrier.py:22:10:22:10 | explicit.carrier | carrier.py:22:10:22:22 | simple.test |
+| carrier.py:25:9:25:36 | .attr = simple.test | carrier.py:26:10:26:10 | .attr = simple.test |
+| carrier.py:25:13:25:35 | .attr = simple.test | carrier.py:25:9:25:36 | .attr = simple.test |
+| carrier.py:25:29:25:34 | simple.test | carrier.py:25:13:25:35 | .attr = simple.test |
+| carrier.py:26:10:26:10 | .attr = simple.test | carrier.py:26:10:26:21 | simple.test |
+| carrier.py:29:9:29:33 | explicit.carrier | carrier.py:30:10:30:10 | explicit.carrier |
+| carrier.py:29:13:29:32 | explicit.carrier | carrier.py:29:9:29:33 | explicit.carrier |
+| carrier.py:30:10:30:10 | explicit.carrier | carrier.py:30:10:30:22 | simple.test |
+| carrier.py:33:9:33:45 | .attr = explicit.carrier | carrier.py:34:9:34:9 | .attr = explicit.carrier |
+| carrier.py:33:25:33:44 | explicit.carrier | carrier.py:33:9:33:45 | .attr = explicit.carrier |
+| carrier.py:34:9:34:9 | .attr = explicit.carrier | carrier.py:34:9:34:14 | explicit.carrier |
+| carrier.py:34:9:34:14 | explicit.carrier | carrier.py:35:10:35:10 | explicit.carrier |
+| carrier.py:35:10:35:10 | explicit.carrier | carrier.py:35:10:35:22 | simple.test |
+| deep.py:20:5:20:14 | simple.test | deep.py:22:6:22:6 | simple.test |
+| deep.py:20:8:20:13 | simple.test | deep.py:20:5:20:14 | simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:85:8:85:13 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:88:9:88:14 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:110:11:110:16 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:115:11:115:16 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:155:20:155:38 | simple.test |
+| module.py:7:12:7:17 | simple.test | test.py:100:9:100:31 | simple.test |
+| rockpaperscissors.py:24:9:24:12 | rock | rockpaperscissors.py:25:9:25:9 | rock |
+| rockpaperscissors.py:25:9:25:9 | rock | rockpaperscissors.py:25:9:25:16 | scissors |
+| rockpaperscissors.py:25:9:25:16 | scissors | rockpaperscissors.py:25:9:25:23 | paper |
+| rockpaperscissors.py:25:9:25:23 | paper | rockpaperscissors.py:26:14:26:14 | paper |
+| test.py:6:9:6:14 | simple.test | test.py:7:10:7:10 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:16:9:16:16 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:24:9:24:16 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:44:12:44:22 | simple.test |
+| test.py:12:10:12:12 | simple.test | test.py:13:10:13:12 | simple.test |
+| test.py:16:9:16:16 | simple.test | test.py:17:10:17:10 | simple.test |
+| test.py:20:9:20:14 | simple.test | test.py:21:10:21:10 | simple.test |
+| test.py:21:10:21:10 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:24:9:24:16 | simple.test | test.py:25:10:25:10 | simple.test |
+| test.py:25:10:25:10 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:37:13:37:18 | simple.test | test.py:41:14:41:14 | simple.test |
+| test.py:44:12:44:22 | simple.test | test.py:54:9:54:17 | simple.test |
+| test.py:46:11:46:13 | simple.test | test.py:47:10:47:12 | simple.test |
+| test.py:47:10:47:12 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:49:17:49:19 | simple.test | test.py:51:14:51:16 | simple.test |
+| test.py:51:14:51:16 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:54:9:54:17 | simple.test | test.py:55:11:55:11 | simple.test |
+| test.py:55:11:55:11 | simple.test | test.py:46:11:46:13 | simple.test |
+| test.py:62:13:62:18 | simple.test | test.py:63:17:63:17 | simple.test |
+| test.py:63:17:63:17 | simple.test | test.py:49:17:49:19 | simple.test |
+| test.py:67:13:67:18 | simple.test | test.py:70:17:70:17 | simple.test |
+| test.py:70:17:70:17 | simple.test | test.py:49:17:49:19 | simple.test |
+| test.py:76:9:76:14 | simple.test | test.py:77:13:77:13 | simple.test |
+| test.py:77:9:77:14 | simple.test | test.py:78:10:78:10 | simple.test |
+| test.py:77:13:77:13 | simple.test | test.py:77:9:77:14 | simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:88:9:88:14 | .dangerous = simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:110:11:110:16 | .dangerous = simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:115:11:115:16 | .dangerous = simple.test |
+| test.py:88:9:88:14 | .dangerous = simple.test | test.py:88:9:88:24 | simple.test |
+| test.py:88:9:88:24 | simple.test | test.py:89:10:89:10 | simple.test |
+| test.py:100:9:100:31 | simple.test | test.py:101:10:101:10 | simple.test |
+| test.py:105:12:105:14 | .x = simple.test | test.py:106:10:106:12 | .x = simple.test |
+| test.py:106:10:106:12 | .x = simple.test | test.py:106:10:106:14 | simple.test |
+| test.py:110:11:110:16 | .dangerous = simple.test | test.py:110:11:110:26 | simple.test |
+| test.py:110:11:110:26 | simple.test | test.py:111:10:111:10 | .x = simple.test |
+| test.py:111:10:111:10 | .x = simple.test | test.py:111:10:111:12 | simple.test |
+| test.py:115:11:115:16 | .dangerous = simple.test | test.py:115:11:115:26 | simple.test |
+| test.py:115:11:115:26 | simple.test | test.py:116:13:116:13 | .x = simple.test |
+| test.py:116:9:116:14 | .x = simple.test | test.py:117:12:117:12 | .x = simple.test |
+| test.py:116:13:116:13 | .x = simple.test | test.py:116:9:116:14 | .x = simple.test |
+| test.py:117:12:117:12 | .x = simple.test | test.py:105:12:105:14 | .x = simple.test |
+| test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test |
+| test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test |
+| test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test |
+| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test |
+| test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test |
+| test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test |
+| test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test |
+| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test |
+| test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test |
+| test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test |
+| test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test |
+| test.py:209:5:209:17 | simple.test | test.py:210:15:210:15 | simple.test |
+| test.py:209:14:209:16 | sequence of simple.test | test.py:209:5:209:17 | simple.test |
+| test.py:210:15:210:15 | simple.test | test.py:213:14:213:32 | iterable.simple |
+| test.py:210:15:210:15 | simple.test | test.py:213:14:213:32 | sequence of simple.test |
+| test.py:213:5:213:33 | simple.test | test.py:214:14:214:14 | simple.test |
+| test.py:213:14:213:32 | iterable.simple | test.py:213:5:213:33 | simple.test |
+| test.py:213:14:213:32 | sequence of simple.test | test.py:213:5:213:33 | simple.test |
+#select
+| rockpaperscissors.py:13:10:13:17 | SCISSORS | rockpaperscissors.py:13:10:13:17 | scissors | rockpaperscissors.py:13:10:13:17 | scissors | $@ loses to $@. | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors |
+| rockpaperscissors.py:16:11:16:14 | ROCK | rockpaperscissors.py:16:11:16:14 | rock | rockpaperscissors.py:16:11:16:14 | rock | $@ loses to $@. | rockpaperscissors.py:16:11:16:14 | ROCK | rock | rockpaperscissors.py:16:11:16:14 | ROCK | rock |
+| rockpaperscissors.py:26:14:26:14 | y | rockpaperscissors.py:24:9:24:12 | rock | rockpaperscissors.py:26:14:26:14 | paper | $@ loses to $@. | rockpaperscissors.py:24:9:24:12 | ROCK | rock | rockpaperscissors.py:26:14:26:14 | y | paper |
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
@@ -0,0 +1,13 @@
+
+/**
+ * @kind path-problem
+ */
+
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+import semmle.python.security.Paths
+
+from RockPaperScissorConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ loses to $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), sink.getTaintKind().toString()
--- a/python/ql/test/library-tests/taint/config/Simple.expected
+++ b/python/ql/test/library-tests/taint/config/Simple.expected
@@ -0,0 +1,115 @@
+edges
+| carrier.py:17:9:17:31 | .attr = simple.test | carrier.py:18:10:18:10 | .attr = simple.test |
+| carrier.py:17:25:17:30 | simple.test | carrier.py:17:9:17:31 | .attr = simple.test |
+| carrier.py:18:10:18:10 | .attr = simple.test | carrier.py:18:10:18:15 | simple.test |
+| carrier.py:21:9:21:28 | explicit.carrier | carrier.py:22:10:22:10 | explicit.carrier |
+| carrier.py:22:10:22:10 | explicit.carrier | carrier.py:22:10:22:22 | simple.test |
+| carrier.py:25:9:25:36 | .attr = simple.test | carrier.py:26:10:26:10 | .attr = simple.test |
+| carrier.py:25:13:25:35 | .attr = simple.test | carrier.py:25:9:25:36 | .attr = simple.test |
+| carrier.py:25:29:25:34 | simple.test | carrier.py:25:13:25:35 | .attr = simple.test |
+| carrier.py:26:10:26:10 | .attr = simple.test | carrier.py:26:10:26:21 | simple.test |
+| carrier.py:29:9:29:33 | explicit.carrier | carrier.py:30:10:30:10 | explicit.carrier |
+| carrier.py:29:13:29:32 | explicit.carrier | carrier.py:29:9:29:33 | explicit.carrier |
+| carrier.py:30:10:30:10 | explicit.carrier | carrier.py:30:10:30:22 | simple.test |
+| carrier.py:33:9:33:45 | .attr = explicit.carrier | carrier.py:34:9:34:9 | .attr = explicit.carrier |
+| carrier.py:33:25:33:44 | explicit.carrier | carrier.py:33:9:33:45 | .attr = explicit.carrier |
+| carrier.py:34:9:34:9 | .attr = explicit.carrier | carrier.py:34:9:34:14 | explicit.carrier |
+| carrier.py:34:9:34:14 | explicit.carrier | carrier.py:35:10:35:10 | explicit.carrier |
+| carrier.py:35:10:35:10 | explicit.carrier | carrier.py:35:10:35:22 | simple.test |
+| deep.py:20:5:20:14 | simple.test | deep.py:22:6:22:6 | simple.test |
+| deep.py:20:8:20:13 | simple.test | deep.py:20:5:20:14 | simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:85:8:85:13 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:88:9:88:14 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:110:11:110:16 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:115:11:115:16 | .dangerous = simple.test |
+| module.py:3:13:3:18 | simple.test | test.py:155:20:155:38 | simple.test |
+| module.py:7:12:7:17 | simple.test | test.py:100:9:100:31 | simple.test |
+| rockpaperscissors.py:24:9:24:12 | rock | rockpaperscissors.py:25:9:25:9 | rock |
+| rockpaperscissors.py:25:9:25:9 | rock | rockpaperscissors.py:25:9:25:16 | scissors |
+| rockpaperscissors.py:25:9:25:16 | scissors | rockpaperscissors.py:25:9:25:23 | paper |
+| rockpaperscissors.py:25:9:25:23 | paper | rockpaperscissors.py:26:14:26:14 | paper |
+| test.py:6:9:6:14 | simple.test | test.py:7:10:7:10 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:16:9:16:16 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:24:9:24:16 | simple.test |
+| test.py:10:12:10:17 | simple.test | test.py:44:12:44:22 | simple.test |
+| test.py:12:10:12:12 | simple.test | test.py:13:10:13:12 | simple.test |
+| test.py:16:9:16:16 | simple.test | test.py:17:10:17:10 | simple.test |
+| test.py:20:9:20:14 | simple.test | test.py:21:10:21:10 | simple.test |
+| test.py:21:10:21:10 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:24:9:24:16 | simple.test | test.py:25:10:25:10 | simple.test |
+| test.py:25:10:25:10 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:37:13:37:18 | simple.test | test.py:41:14:41:14 | simple.test |
+| test.py:44:12:44:22 | simple.test | test.py:54:9:54:17 | simple.test |
+| test.py:46:11:46:13 | simple.test | test.py:47:10:47:12 | simple.test |
+| test.py:47:10:47:12 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:49:17:49:19 | simple.test | test.py:51:14:51:16 | simple.test |
+| test.py:51:14:51:16 | simple.test | test.py:12:10:12:12 | simple.test |
+| test.py:54:9:54:17 | simple.test | test.py:55:11:55:11 | simple.test |
+| test.py:55:11:55:11 | simple.test | test.py:46:11:46:13 | simple.test |
+| test.py:62:13:62:18 | simple.test | test.py:63:17:63:17 | simple.test |
+| test.py:63:17:63:17 | simple.test | test.py:49:17:49:19 | simple.test |
+| test.py:67:13:67:18 | simple.test | test.py:70:17:70:17 | simple.test |
+| test.py:70:17:70:17 | simple.test | test.py:49:17:49:19 | simple.test |
+| test.py:76:9:76:14 | simple.test | test.py:77:13:77:13 | simple.test |
+| test.py:77:9:77:14 | simple.test | test.py:78:10:78:10 | simple.test |
+| test.py:77:13:77:13 | simple.test | test.py:77:9:77:14 | simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:88:9:88:14 | .dangerous = simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:110:11:110:16 | .dangerous = simple.test |
+| test.py:85:8:85:13 | .dangerous = simple.test | test.py:115:11:115:16 | .dangerous = simple.test |
+| test.py:88:9:88:14 | .dangerous = simple.test | test.py:88:9:88:24 | simple.test |
+| test.py:88:9:88:24 | simple.test | test.py:89:10:89:10 | simple.test |
+| test.py:100:9:100:31 | simple.test | test.py:101:10:101:10 | simple.test |
+| test.py:105:12:105:14 | .x = simple.test | test.py:106:10:106:12 | .x = simple.test |
+| test.py:106:10:106:12 | .x = simple.test | test.py:106:10:106:14 | simple.test |
+| test.py:110:11:110:16 | .dangerous = simple.test | test.py:110:11:110:26 | simple.test |
+| test.py:110:11:110:26 | simple.test | test.py:111:10:111:10 | .x = simple.test |
+| test.py:111:10:111:10 | .x = simple.test | test.py:111:10:111:12 | simple.test |
+| test.py:115:11:115:16 | .dangerous = simple.test | test.py:115:11:115:26 | simple.test |
+| test.py:115:11:115:26 | simple.test | test.py:116:13:116:13 | .x = simple.test |
+| test.py:116:9:116:14 | .x = simple.test | test.py:117:12:117:12 | .x = simple.test |
+| test.py:116:13:116:13 | .x = simple.test | test.py:116:9:116:14 | .x = simple.test |
+| test.py:117:12:117:12 | .x = simple.test | test.py:105:12:105:14 | .x = simple.test |
+| test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test |
+| test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test |
+| test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test |
+| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test |
+| test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test |
+| test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test |
+| test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test |
+| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test |
+| test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test |
+| test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test |
+| test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test |
+| test.py:209:5:209:17 | simple.test | test.py:210:15:210:15 | simple.test |
+| test.py:209:14:209:16 | sequence of simple.test | test.py:209:5:209:17 | simple.test |
+| test.py:210:15:210:15 | simple.test | test.py:213:14:213:32 | iterable.simple |
+| test.py:210:15:210:15 | simple.test | test.py:213:14:213:32 | sequence of simple.test |
+| test.py:213:5:213:33 | simple.test | test.py:214:14:214:14 | simple.test |
+| test.py:213:14:213:32 | iterable.simple | test.py:213:5:213:33 | simple.test |
+| test.py:213:14:213:32 | sequence of simple.test | test.py:213:5:213:33 | simple.test |
+#select
+| carrier.py:18:10:18:15 | Attribute | carrier.py:17:25:17:30 | simple.test | carrier.py:18:10:18:15 | simple.test | $@ flows to $@. | carrier.py:17:25:17:30 | SOURCE | simple.test | carrier.py:18:10:18:15 | Attribute | simple.test |
+| carrier.py:26:10:26:21 | Attribute() | carrier.py:25:29:25:34 | simple.test | carrier.py:26:10:26:21 | simple.test | $@ flows to $@. | carrier.py:25:29:25:34 | SOURCE | simple.test | carrier.py:26:10:26:21 | Attribute() | simple.test |
+| deep.py:22:6:22:6 | x | deep.py:20:8:20:13 | simple.test | deep.py:22:6:22:6 | simple.test | $@ flows to $@. | deep.py:20:8:20:13 | SOURCE | simple.test | deep.py:22:6:22:6 | x | simple.test |
+| test.py:3:10:3:15 | SOURCE | test.py:3:10:3:15 | simple.test | test.py:3:10:3:15 | simple.test | $@ flows to $@. | test.py:3:10:3:15 | SOURCE | simple.test | test.py:3:10:3:15 | SOURCE | simple.test |
+| test.py:7:10:7:10 | s | test.py:6:9:6:14 | simple.test | test.py:7:10:7:10 | simple.test | $@ flows to $@. | test.py:6:9:6:14 | SOURCE | simple.test | test.py:7:10:7:10 | s | simple.test |
+| test.py:13:10:13:12 | arg | test.py:10:12:10:17 | simple.test | test.py:13:10:13:12 | simple.test | $@ flows to $@. | test.py:10:12:10:17 | SOURCE | simple.test | test.py:13:10:13:12 | arg | simple.test |
+| test.py:13:10:13:12 | arg | test.py:20:9:20:14 | simple.test | test.py:13:10:13:12 | simple.test | $@ flows to $@. | test.py:20:9:20:14 | SOURCE | simple.test | test.py:13:10:13:12 | arg | simple.test |
+| test.py:13:10:13:12 | arg | test.py:62:13:62:18 | simple.test | test.py:13:10:13:12 | simple.test | $@ flows to $@. | test.py:62:13:62:18 | SOURCE | simple.test | test.py:13:10:13:12 | arg | simple.test |
+| test.py:13:10:13:12 | arg | test.py:67:13:67:18 | simple.test | test.py:13:10:13:12 | simple.test | $@ flows to $@. | test.py:67:13:67:18 | SOURCE | simple.test | test.py:13:10:13:12 | arg | simple.test |
+| test.py:17:10:17:10 | t | test.py:10:12:10:17 | simple.test | test.py:17:10:17:10 | simple.test | $@ flows to $@. | test.py:10:12:10:17 | SOURCE | simple.test | test.py:17:10:17:10 | t | simple.test |
+| test.py:41:14:41:14 | t | test.py:37:13:37:18 | simple.test | test.py:41:14:41:14 | simple.test | $@ flows to $@. | test.py:37:13:37:18 | SOURCE | simple.test | test.py:41:14:41:14 | t | simple.test |
+| test.py:78:10:78:10 | t | test.py:76:9:76:14 | simple.test | test.py:78:10:78:10 | simple.test | $@ flows to $@. | test.py:76:9:76:14 | SOURCE | simple.test | test.py:78:10:78:10 | t | simple.test |
+| test.py:89:10:89:10 | t | module.py:3:13:3:18 | simple.test | test.py:89:10:89:10 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:89:10:89:10 | t | simple.test |
+| test.py:101:10:101:10 | t | module.py:7:12:7:17 | simple.test | test.py:101:10:101:10 | simple.test | $@ flows to $@. | module.py:7:12:7:17 | SOURCE | simple.test | test.py:101:10:101:10 | t | simple.test |
+| test.py:106:10:106:14 | Attribute | module.py:3:13:3:18 | simple.test | test.py:106:10:106:14 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:106:10:106:14 | Attribute | simple.test |
+| test.py:111:10:111:12 | Attribute | module.py:3:13:3:18 | simple.test | test.py:111:10:111:12 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:111:10:111:12 | Attribute | simple.test |
+| test.py:132:14:132:14 | t | test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test | $@ flows to $@. | test.py:128:13:128:18 | SOURCE | simple.test | test.py:132:14:132:14 | t | simple.test |
+| test.py:156:6:156:11 | unsafe | module.py:3:13:3:18 | simple.test | test.py:156:6:156:11 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:156:6:156:11 | unsafe | simple.test |
+| test.py:160:14:160:14 | t | test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test | $@ flows to $@. | test.py:159:10:159:15 | SOURCE | simple.test | test.py:160:14:160:14 | t | simple.test |
+| test.py:165:10:165:10 | s | test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test | $@ flows to $@. | test.py:163:9:163:14 | SOURCE | simple.test | test.py:165:10:165:10 | s | simple.test |
+| test.py:180:14:180:14 | t | test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:180:14:180:14 | t | simple.test |
+| test.py:186:14:186:14 | t | test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:186:14:186:14 | t | simple.test |
+| test.py:197:14:197:14 | t | test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:197:14:197:14 | t | simple.test |
+| test.py:199:14:199:14 | t | test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:199:14:199:14 | t | simple.test |
+| test.py:214:14:214:14 | x | test.py:208:12:208:17 | simple.test | test.py:214:14:214:14 | simple.test | $@ flows to $@. | test.py:208:12:208:17 | SOURCE | simple.test | test.py:214:14:214:14 | x | simple.test |
--- a/python/ql/test/library-tests/taint/config/Simple.ql
+++ b/python/ql/test/library-tests/taint/config/Simple.ql
@@ -0,0 +1,13 @@
+
+/**
+ * @kind path-problem
+ */
+
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+import semmle.python.security.Paths
+
+from SimpleConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ flows to $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), sink.getTaintKind().toString()
--- a/python/ql/test/library-tests/taint/config/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/config/TaintLib.qll
@@ -0,0 +1,336 @@
+import python
+import semmle.python.security.TaintTracking
+
+
+class SimpleTest extends TaintKind {
+
+    SimpleTest() {
+        this = "simple.test"
+    }
+
+}
+
+abstract class TestConfig extends TaintTracking::Configuration {
+
+    bindingset[this]
+    TestConfig() { any() }
+
+}
+
+class SimpleConfig extends TestConfig {
+
+    SimpleConfig() { this = "Simple config" }
+
+    override predicate isSource(DataFlow::Node node, TaintKind kind) {
+        node.asCfgNode().(NameNode).getId() = "SOURCE" and
+        kind instanceof SimpleTest
+    }
+
+    override predicate isSink(DataFlow::Node node, TaintKind kind) {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "SINK" and
+            node.asCfgNode() = call.getAnArg()
+        ) and
+        kind instanceof SimpleTest
+    }
+
+    override predicate isBarrier(DataFlow::Node node, TaintKind kind) {
+        node.asCfgNode().(CallNode).getFunction().(NameNode).getId() = "SANITIZE" and
+        kind instanceof SimpleTest
+    }
+
+}
+
+class BasicCustomTaint extends TaintKind {
+
+    BasicCustomTaint() {
+        this = "basic.custom"
+    }
+
+    override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
+        tonode.(CallNode).getAnArg() = fromnode and
+        tonode.(CallNode).getFunction().(NameNode).getId() = "TAINT_FROM_ARG" and
+        result = this
+    }
+
+}
+
+
+class BasicCustomConfig extends TestConfig {
+
+    BasicCustomConfig() { this = "Basic custom config" }
+
+    override predicate isSource(DataFlow::Node node, TaintKind kind) {
+        node.asCfgNode().(NameNode).getId() = "CUSTOM_SOURCE" and
+        kind instanceof SimpleTest
+    }
+
+    override predicate isSink(DataFlow::Node node, TaintKind kind) {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "CUSTOM_SINK" and
+            node.asCfgNode() = call.getAnArg()
+        ) and
+        kind instanceof SimpleTest
+    }
+
+}
+
+
+class Rock extends TaintKind {
+
+    Rock() { this = "rock" }
+
+    override TaintKind getTaintOfMethodResult(string name) { 
+        name = "prev" and result instanceof Scissors
+    }
+
+}
+
+class Paper extends TaintKind {
+
+    Paper() { this = "paper" }
+
+    override TaintKind getTaintOfMethodResult(string name) { 
+        name = "prev" and result instanceof Rock
+    }
+
+}
+
+class Scissors extends TaintKind {
+
+    Scissors() { this = "scissors" }
+
+    override TaintKind getTaintOfMethodResult(string name) { 
+        name = "prev" and result instanceof Paper
+    }
+
+}
+
+class RockPaperScissorConfig extends TestConfig {
+
+    RockPaperScissorConfig() { this = "Rock-paper-scissors config" }
+
+
+    override predicate isSource(DataFlow::Node node, TaintKind kind) {
+        exists(string name |
+            node.asCfgNode().(NameNode).getId() = name and
+            kind = name.toLowerCase()
+            |
+            name = "ROCK" or name = "PAPER" or name = "SCISSORS"
+        )
+    }
+
+    override predicate isSink(DataFlow::Node node, TaintKind kind) {
+        exists(string name |
+            function_param(name, node) |
+            name = "paper" and kind = "rock"
+            or
+            name = "rock" and kind = "scissors"
+            or
+            name = "scissors" and kind = "paper"
+        )
+    }
+
+}
+
+private predicate function_param(string funcname, DataFlow::Node arg) {
+    exists(FunctionObject f |
+        f.getName() = funcname and
+        arg.asCfgNode() = f.getArgumentForCall(_, _)
+    )
+}
+
+
+class TaintCarrier extends TaintKind {
+
+    TaintCarrier() { this = "explicit.carrier" }
+
+    override TaintKind getTaintOfMethodResult(string name) {
+        name = "get_taint" and result instanceof SimpleTest
+    }
+
+
+}
+
+class TaintCarrierConfig extends TestConfig {
+
+    TaintCarrierConfig() { this = "Taint carrier config" }
+
+    override predicate isSource(DataFlow::Node node, TaintKind kind) {
+        node.asCfgNode().(NameNode).getId() = "TAINT_CARRIER_SOURCE" and
+        kind instanceof TaintCarrier
+    }
+
+    override predicate isSink(DataFlow::Node node, TaintKind kind) {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "SINK" and
+            node.asCfgNode() = call.getAnArg()
+        ) and
+        kind instanceof SimpleTest
+    }
+
+    override predicate isBarrier(DataFlow::Node node, TaintKind kind) {
+        node.asCfgNode().(CallNode).getFunction().(NameNode).getId() = "SANITIZE" and
+        kind instanceof SimpleTest
+    }
+
+}
+
+
+/* Some more realistic examples */
+
+abstract class UserInput extends TaintKind {
+
+    bindingset[this]
+    UserInput() { any() }
+
+}
+
+class UserInputSource extends TaintSource {
+
+    UserInputSource() { 
+        this.(CallNode).getFunction().(NameNode).getId() = "user_input" 
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof UserInput
+    }
+
+    override string toString() {
+        result = "user.input.source"
+    }
+
+}
+
+class SqlInjectionTaint extends UserInput {
+
+    SqlInjectionTaint() { this = "SQL injection" }
+
+}
+
+class CommandInjectionTaint extends UserInput {
+
+    CommandInjectionTaint() { this = "Command injection" }
+
+}
+
+class SqlSanitizer extends Sanitizer {
+
+    SqlSanitizer() { this = "SQL sanitizer" }
+
+    /** Holds if `test` shows value to be untainted with `taint` */
+    override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
+        exists(FunctionObject f, CallNode call |
+            f.getName() = "isEscapedSql" and
+            test.getTest() = call and
+            call.getAnArg() = test.getSourceVariable().getAUse() and
+            f.getACall() = call and
+            test.getSense() = true
+        ) and
+        taint instanceof SqlInjectionTaint
+    }
+
+}
+
+class CommandSanitizer extends Sanitizer {
+
+    CommandSanitizer() { this = "Command sanitizer" }
+
+    /** Holds if `test` shows value to be untainted with `taint` */
+    override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
+        exists(FunctionObject f |
+            f.getName() = "isValidCommand" and
+            f.getACall().(CallNode).getAnArg() = test.getSourceVariable().getAUse() and
+            test.getSense() = true
+        ) and
+        taint instanceof CommandInjectionTaint
+    }
+
+}
+
+class SqlQuery extends TaintSink {
+
+    SqlQuery() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "sql_query" and
+            call.getAnArg() = this
+        )
+    }
+
+    override string toString() { result = "SQL query" }
+
+    override predicate sinks(TaintKind taint) {
+        taint instanceof SqlInjectionTaint
+    }
+
+}
+
+
+class OsCommand extends TaintSink {
+
+    OsCommand() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "os_command" and
+            call.getAnArg() = this
+        )
+    }
+
+    override string toString() { result = "OS command" }
+
+    override predicate sinks(TaintKind taint) {
+        taint instanceof CommandInjectionTaint
+    }
+
+}
+
+
+class Falsey extends TaintKind {
+
+    Falsey() { this = "falsey" }
+
+    override boolean booleanValue() {
+        result = false
+    }
+
+}
+
+class FalseySource  extends TaintSource {
+
+    FalseySource() {
+         this.(NameNode).getId() = "FALSEY"
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof Falsey
+    }
+
+    override string toString() {
+        result = "falsey.source"
+    }
+
+}
+
+class TaintIterable extends TaintKind {
+
+    TaintIterable() {
+        this = "iterable.simple"
+    }
+
+    override TaintKind getTaintForIteration() {
+        result instanceof SimpleTest
+    }
+
+}
+
+class TaintIterableSource extends TaintSource {
+
+    TaintIterableSource() {
+        this.(NameNode).getId() = "ITERABLE_SOURCE"
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof TaintIterable
+    }
+
+}
+
--- a/python/ql/test/library-tests/taint/config/TaintedArgument.expected
+++ b/python/ql/test/library-tests/taint/config/TaintedArgument.expected
@@ -0,0 +1,29 @@
+| Rock-paper-scissors config | rockpaperscissors.py:13:10:13:17 | scissors | rockpaperscissors.py:13:5:13:18 | ControlFlowNode for rock() |  | rockpaperscissors.py:3:1:3:14 | Function rock | 0 | no attribute | scissors |
+| Rock-paper-scissors config | rockpaperscissors.py:16:11:16:14 | rock | rockpaperscissors.py:16:5:16:15 | ControlFlowNode for paper() |  | rockpaperscissors.py:6:1:6:15 | Function paper | 0 | no attribute | rock |
+| Rock-paper-scissors config | rockpaperscissors.py:21:14:21:14 | scissors | rockpaperscissors.py:21:5:21:15 | ControlFlowNode for scissors() |  | rockpaperscissors.py:9:1:9:18 | Function scissors | 0 | no attribute | scissors |
+| Rock-paper-scissors config | rockpaperscissors.py:26:14:26:14 | paper | rockpaperscissors.py:26:5:26:15 | ControlFlowNode for scissors() |  | rockpaperscissors.py:9:1:9:18 | Function scissors | 0 | no attribute | paper |
+| Rock-paper-scissors config | rockpaperscissors.py:31:11:31:11 | scissors | rockpaperscissors.py:31:5:31:12 | ControlFlowNode for paper() |  | rockpaperscissors.py:6:1:6:15 | Function paper | 0 | no attribute | scissors |
+| Rock-paper-scissors config | rockpaperscissors.py:32:11:32:11 | paper | rockpaperscissors.py:32:5:32:12 | ControlFlowNode for paper() |  | rockpaperscissors.py:6:1:6:15 | Function paper | 0 | no attribute | paper |
+| Simple config | carrier.py:17:25:17:30 | simple.test | carrier.py:17:9:17:31 | ControlFlowNode for ImplicitCarrier() |  | carrier.py:4:5:4:28 | Function ImplicitCarrier.__init__ | 1 | no attribute | simple.test |
+| Simple config | carrier.py:25:13:25:35 | .attr = simple.test | carrier.py:25:9:25:36 | ControlFlowNode for hub() |  | carrier.py:13:1:13:13 | Function hub | 0 | attribute attr | simple.test |
+| Simple config | carrier.py:25:29:25:34 | simple.test | carrier.py:25:13:25:35 | ControlFlowNode for ImplicitCarrier() |  | carrier.py:4:5:4:28 | Function ImplicitCarrier.__init__ | 1 | no attribute | simple.test |
+| Simple config | carrier.py:26:10:26:10 | .attr = simple.test | carrier.py:26:10:26:21 | ControlFlowNode for Attribute() |  | carrier.py:10:5:10:23 | Function ImplicitCarrier.get_attr | 0 | attribute attr | simple.test |
+| Simple config | deep.py:6:15:6:17 | simple.test | deep.py:6:12:6:18 | ControlFlowNode for f1() | p0 = simple.test | deep.py:2:1:2:12 | Function f1 | 0 | no attribute | simple.test |
+| Simple config | deep.py:9:15:9:17 | simple.test | deep.py:9:12:9:18 | ControlFlowNode for f2() | p0 = simple.test | deep.py:5:1:5:12 | Function f2 | 0 | no attribute | simple.test |
+| Simple config | deep.py:12:15:12:17 | simple.test | deep.py:12:12:12:18 | ControlFlowNode for f3() | p0 = simple.test | deep.py:8:1:8:12 | Function f3 | 0 | no attribute | simple.test |
+| Simple config | deep.py:15:15:15:17 | simple.test | deep.py:15:12:15:18 | ControlFlowNode for f4() | p0 = simple.test | deep.py:11:1:11:12 | Function f4 | 0 | no attribute | simple.test |
+| Simple config | deep.py:18:15:18:17 | simple.test | deep.py:18:12:18:18 | ControlFlowNode for f5() | p0 = simple.test | deep.py:14:1:14:12 | Function f5 | 0 | no attribute | simple.test |
+| Simple config | deep.py:20:8:20:13 | simple.test | deep.py:20:5:20:14 | ControlFlowNode for f6() |  | deep.py:17:1:17:12 | Function f6 | 0 | no attribute | simple.test |
+| Simple config | test.py:21:10:21:10 | simple.test | test.py:21:5:21:11 | ControlFlowNode for sink() |  | test.py:12:1:12:14 | Function sink | 0 | no attribute | simple.test |
+| Simple config | test.py:25:10:25:10 | simple.test | test.py:25:5:25:11 | ControlFlowNode for sink() |  | test.py:12:1:12:14 | Function sink | 0 | no attribute | simple.test |
+| Simple config | test.py:47:10:47:12 | simple.test | test.py:47:5:47:13 | ControlFlowNode for sink() | p0 = simple.test | test.py:12:1:12:14 | Function sink | 0 | no attribute | simple.test |
+| Simple config | test.py:51:14:51:16 | simple.test | test.py:51:9:51:17 | ControlFlowNode for sink() | p1 = simple.test | test.py:12:1:12:14 | Function sink | 0 | no attribute | simple.test |
+| Simple config | test.py:55:11:55:11 | simple.test | test.py:55:5:55:12 | ControlFlowNode for sink2() |  | test.py:46:1:46:15 | Function sink2 | 0 | no attribute | simple.test |
+| Simple config | test.py:63:17:63:17 | simple.test | test.py:63:5:63:18 | ControlFlowNode for sink3() |  | test.py:49:1:49:21 | Function sink3 | 1 | no attribute | simple.test |
+| Simple config | test.py:70:17:70:17 | simple.test | test.py:70:5:70:18 | ControlFlowNode for sink3() |  | test.py:49:1:49:21 | Function sink3 | 1 | no attribute | simple.test |
+| Simple config | test.py:77:13:77:13 | simple.test | test.py:77:9:77:14 | ControlFlowNode for hub() |  | test.py:72:1:72:13 | Function hub | 0 | no attribute | simple.test |
+| Simple config | test.py:116:13:116:13 | .x = simple.test | test.py:116:9:116:14 | ControlFlowNode for hub() |  | test.py:72:1:72:13 | Function hub | 0 | attribute x | simple.test |
+| Simple config | test.py:117:12:117:12 | .x = simple.test | test.py:117:5:117:13 | ControlFlowNode for x_sink() |  | test.py:105:1:105:16 | Function x_sink | 0 | attribute x | simple.test |
+| Simple config | test.py:196:19:196:19 | simple.test | test.py:196:8:196:25 | ControlFlowNode for isinstance() |  | file://:0:0:0:0 | Builtin-function isinstance | 0 | no attribute | simple.test |
+| Taint carrier config | carrier.py:29:13:29:32 | explicit.carrier | carrier.py:29:9:29:33 | ControlFlowNode for hub() |  | carrier.py:13:1:13:13 | Function hub | 0 | no attribute | explicit.carrier |
+| Taint carrier config | carrier.py:33:25:33:44 | explicit.carrier | carrier.py:33:9:33:45 | ControlFlowNode for ImplicitCarrier() |  | carrier.py:4:5:4:28 | Function ImplicitCarrier.__init__ | 1 | no attribute | explicit.carrier |
--- a/python/ql/test/library-tests/taint/config/TaintedArgument.ql
+++ b/python/ql/test/library-tests/taint/config/TaintedArgument.ql
@@ -0,0 +1,14 @@
+
+import python
+
+
+
+import semmle.python.security.TaintTracking
+import TaintLib
+import semmle.python.dataflow.Implementation
+
+from TaintTrackingImplementation config, TaintTrackingNode src, CallNode call, 
+     TaintTrackingContext caller, CallableValue pyfunc, int arg, AttributePath path, TaintKind kind
+where config instanceof TestConfig and
+config.callWithTaintedArgument(src, call, caller, pyfunc, arg, path, kind)
+select config, src, call, caller, pyfunc, arg, path, kind
--- a/python/ql/test/library-tests/taint/config/TestNode.expected
+++ b/python/ql/test/library-tests/taint/config/TestNode.expected
@@ -0,0 +1,314 @@
+| carrier.py:4 | explicit.carrier | SSA variable arg | no attribute | p1 = explicit.carrier |
+| carrier.py:4 | explicit.carrier | arg | no attribute | p1 = explicit.carrier |
+| carrier.py:4 | simple.test | SSA variable arg | no attribute | p1 = simple.test |
+| carrier.py:4 | simple.test | arg | no attribute | p1 = simple.test |
+| carrier.py:5 | explicit.carrier | SSA variable self | attribute attr | p1 = explicit.carrier |
+| carrier.py:5 | explicit.carrier | arg | no attribute | p1 = explicit.carrier |
+| carrier.py:5 | simple.test | SSA variable self | attribute attr | p1 = simple.test |
+| carrier.py:5 | simple.test | arg | no attribute | p1 = simple.test |
+| carrier.py:10 | simple.test | SSA variable self | attribute attr | p0.attr = simple.test |
+| carrier.py:10 | simple.test | self | attribute attr | p0.attr = simple.test |
+| carrier.py:11 | simple.test | Attribute | no attribute | p0.attr = simple.test |
+| carrier.py:11 | simple.test | self | attribute attr | p0.attr = simple.test |
+| carrier.py:13 | explicit.carrier | SSA variable arg | no attribute | p0 = explicit.carrier |
+| carrier.py:13 | explicit.carrier | arg | no attribute | p0 = explicit.carrier |
+| carrier.py:13 | simple.test | SSA variable arg | attribute attr | p0.attr = simple.test |
+| carrier.py:13 | simple.test | arg | attribute attr | p0.attr = simple.test |
+| carrier.py:14 | explicit.carrier | arg | no attribute | p0 = explicit.carrier |
+| carrier.py:14 | simple.test | arg | attribute attr | p0.attr = simple.test |
+| carrier.py:17 | simple.test | ImplicitCarrier() | attribute attr |  |
+| carrier.py:17 | simple.test | SOURCE | no attribute |  |
+| carrier.py:17 | simple.test | SSA variable c | attribute attr |  |
+| carrier.py:18 | simple.test | Attribute | no attribute |  |
+| carrier.py:18 | simple.test | c | attribute attr |  |
+| carrier.py:21 | explicit.carrier | SSA variable c | no attribute |  |
+| carrier.py:21 | explicit.carrier | TAINT_CARRIER_SOURCE | no attribute |  |
+| carrier.py:22 | explicit.carrier | SSA variable c | no attribute |  |
+| carrier.py:22 | explicit.carrier | c | no attribute |  |
+| carrier.py:22 | simple.test | Attribute() | no attribute |  |
+| carrier.py:25 | simple.test | ImplicitCarrier() | attribute attr |  |
+| carrier.py:25 | simple.test | SOURCE | no attribute |  |
+| carrier.py:25 | simple.test | SSA variable c | attribute attr |  |
+| carrier.py:25 | simple.test | hub() | attribute attr |  |
+| carrier.py:26 | simple.test | Attribute() | no attribute |  |
+| carrier.py:26 | simple.test | SSA variable c | attribute attr |  |
+| carrier.py:26 | simple.test | c | attribute attr |  |
+| carrier.py:29 | explicit.carrier | SSA variable c | no attribute |  |
+| carrier.py:29 | explicit.carrier | TAINT_CARRIER_SOURCE | no attribute |  |
+| carrier.py:29 | explicit.carrier | hub() | no attribute |  |
+| carrier.py:30 | explicit.carrier | SSA variable c | no attribute |  |
+| carrier.py:30 | explicit.carrier | c | no attribute |  |
+| carrier.py:30 | simple.test | Attribute() | no attribute |  |
+| carrier.py:33 | explicit.carrier | ImplicitCarrier() | attribute attr |  |
+| carrier.py:33 | explicit.carrier | SSA variable c | attribute attr |  |
+| carrier.py:33 | explicit.carrier | TAINT_CARRIER_SOURCE | no attribute |  |
+| carrier.py:34 | explicit.carrier | Attribute | no attribute |  |
+| carrier.py:34 | explicit.carrier | SSA variable x | no attribute |  |
+| carrier.py:34 | explicit.carrier | c | attribute attr |  |
+| carrier.py:35 | explicit.carrier | SSA variable x | no attribute |  |
+| carrier.py:35 | explicit.carrier | x | no attribute |  |
+| carrier.py:35 | simple.test | Attribute() | no attribute |  |
+| deep.py:2 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:2 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:3 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:5 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:5 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:6 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:6 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:6 | simple.test | f1() | no attribute | p0 = simple.test |
+| deep.py:8 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:8 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:9 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:9 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:9 | simple.test | f2() | no attribute | p0 = simple.test |
+| deep.py:11 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:11 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:12 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:12 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:12 | simple.test | f3() | no attribute | p0 = simple.test |
+| deep.py:14 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:14 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:15 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:15 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:15 | simple.test | f4() | no attribute | p0 = simple.test |
+| deep.py:17 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:17 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:18 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| deep.py:18 | simple.test | arg | no attribute | p0 = simple.test |
+| deep.py:18 | simple.test | f5() | no attribute | p0 = simple.test |
+| deep.py:20 | simple.test | GSSA Variable x | no attribute |  |
+| deep.py:20 | simple.test | SOURCE | no attribute |  |
+| deep.py:20 | simple.test | f6() | no attribute |  |
+| deep.py:22 | simple.test | GSSA Variable x | no attribute |  |
+| deep.py:22 | simple.test | x | no attribute |  |
+| module.py:3 | simple.test | GSSA Variable dangerous | no attribute |  |
+| module.py:3 | simple.test | SOURCE | no attribute |  |
+| module.py:7 | simple.test | SOURCE | no attribute |  |
+| module.py:10 | simple.test | SOURCE | no attribute |  |
+| rockpaperscissors.py:3 | scissors | SSA variable arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:3 | scissors | arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:6 | paper | SSA variable arg | no attribute | p0 = paper |
+| rockpaperscissors.py:6 | paper | arg | no attribute | p0 = paper |
+| rockpaperscissors.py:6 | rock | SSA variable arg | no attribute | p0 = rock |
+| rockpaperscissors.py:6 | rock | arg | no attribute | p0 = rock |
+| rockpaperscissors.py:6 | scissors | SSA variable arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:6 | scissors | arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:9 | paper | SSA variable arg | no attribute | p0 = paper |
+| rockpaperscissors.py:9 | paper | arg | no attribute | p0 = paper |
+| rockpaperscissors.py:9 | scissors | SSA variable arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:9 | scissors | arg | no attribute | p0 = scissors |
+| rockpaperscissors.py:13 | scissors | SCISSORS | no attribute |  |
+| rockpaperscissors.py:16 | rock | ROCK | no attribute |  |
+| rockpaperscissors.py:19 | rock | ROCK | no attribute |  |
+| rockpaperscissors.py:19 | rock | SSA variable x | no attribute |  |
+| rockpaperscissors.py:20 | rock | SSA variable x | no attribute |  |
+| rockpaperscissors.py:20 | rock | x | no attribute |  |
+| rockpaperscissors.py:20 | scissors | Attribute() | no attribute |  |
+| rockpaperscissors.py:20 | scissors | SSA variable y | no attribute |  |
+| rockpaperscissors.py:21 | scissors | SSA variable y | no attribute |  |
+| rockpaperscissors.py:21 | scissors | y | no attribute |  |
+| rockpaperscissors.py:24 | rock | ROCK | no attribute |  |
+| rockpaperscissors.py:24 | rock | SSA variable x | no attribute |  |
+| rockpaperscissors.py:25 | paper | Attribute() | no attribute |  |
+| rockpaperscissors.py:25 | paper | SSA variable y | no attribute |  |
+| rockpaperscissors.py:25 | rock | SSA variable x | no attribute |  |
+| rockpaperscissors.py:25 | rock | x | no attribute |  |
+| rockpaperscissors.py:25 | scissors | Attribute() | no attribute |  |
+| rockpaperscissors.py:26 | paper | SSA variable y | no attribute |  |
+| rockpaperscissors.py:26 | paper | y | no attribute |  |
+| rockpaperscissors.py:29 | scissors | SCISSORS | no attribute |  |
+| rockpaperscissors.py:29 | scissors | SSA variable x | no attribute |  |
+| rockpaperscissors.py:30 | paper | Attribute() | no attribute |  |
+| rockpaperscissors.py:30 | paper | SSA variable y | no attribute |  |
+| rockpaperscissors.py:30 | scissors | SSA variable x | no attribute |  |
+| rockpaperscissors.py:30 | scissors | x | no attribute |  |
+| rockpaperscissors.py:31 | scissors | SSA variable x | no attribute |  |
+| rockpaperscissors.py:31 | scissors | x | no attribute |  |
+| rockpaperscissors.py:32 | paper | SSA variable y | no attribute |  |
+| rockpaperscissors.py:32 | paper | y | no attribute |  |
+| test.py:3 | simple.test | SOURCE | no attribute |  |
+| test.py:6 | simple.test | SOURCE | no attribute |  |
+| test.py:6 | simple.test | SSA variable s | no attribute |  |
+| test.py:7 | simple.test | SSA variable s | no attribute |  |
+| test.py:7 | simple.test | s | no attribute |  |
+| test.py:10 | simple.test | SOURCE | no attribute |  |
+| test.py:12 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| test.py:12 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:13 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| test.py:13 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:16 | simple.test | SSA variable t | no attribute |  |
+| test.py:16 | simple.test | source() | no attribute |  |
+| test.py:17 | simple.test | SSA variable t | no attribute |  |
+| test.py:17 | simple.test | t | no attribute |  |
+| test.py:20 | simple.test | SOURCE | no attribute |  |
+| test.py:20 | simple.test | SSA variable t | no attribute |  |
+| test.py:21 | simple.test | SSA variable t | no attribute |  |
+| test.py:21 | simple.test | t | no attribute |  |
+| test.py:24 | simple.test | SSA variable t | no attribute |  |
+| test.py:24 | simple.test | source() | no attribute |  |
+| test.py:25 | simple.test | SSA variable t | no attribute |  |
+| test.py:25 | simple.test | t | no attribute |  |
+| test.py:31 | simple.test | SOURCE | no attribute |  |
+| test.py:31 | simple.test | SSA variable t | no attribute |  |
+| test.py:37 | simple.test | SOURCE | no attribute |  |
+| test.py:37 | simple.test | SSA variable t | no attribute |  |
+| test.py:41 | simple.test | SSA variable t | no attribute |  |
+| test.py:41 | simple.test | t | no attribute |  |
+| test.py:44 | simple.test | source() | no attribute |  |
+| test.py:46 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| test.py:46 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:47 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| test.py:47 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:49 | simple.test | SSA variable arg | no attribute | p1 = simple.test |
+| test.py:49 | simple.test | arg | no attribute | p1 = simple.test |
+| test.py:51 | simple.test | SSA variable arg | no attribute | p1 = simple.test |
+| test.py:51 | simple.test | arg | no attribute | p1 = simple.test |
+| test.py:54 | simple.test | SSA variable t | no attribute |  |
+| test.py:54 | simple.test | source2() | no attribute |  |
+| test.py:55 | simple.test | SSA variable t | no attribute |  |
+| test.py:55 | simple.test | t | no attribute |  |
+| test.py:62 | simple.test | SOURCE | no attribute |  |
+| test.py:62 | simple.test | SSA variable t | no attribute |  |
+| test.py:63 | simple.test | SSA variable t | no attribute |  |
+| test.py:63 | simple.test | t | no attribute |  |
+| test.py:67 | simple.test | SOURCE | no attribute |  |
+| test.py:67 | simple.test | SSA variable t | no attribute |  |
+| test.py:70 | simple.test | SSA variable t | no attribute |  |
+| test.py:70 | simple.test | t | no attribute |  |
+| test.py:72 | simple.test | SSA variable arg | attribute x | p0.x = simple.test |
+| test.py:72 | simple.test | SSA variable arg | no attribute | p0 = simple.test |
+| test.py:72 | simple.test | arg | attribute x | p0.x = simple.test |
+| test.py:72 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:73 | simple.test | arg | attribute x | p0.x = simple.test |
+| test.py:73 | simple.test | arg | no attribute | p0 = simple.test |
+| test.py:76 | simple.test | SOURCE | no attribute |  |
+| test.py:76 | simple.test | SSA variable t | no attribute |  |
+| test.py:77 | simple.test | SSA variable t | no attribute |  |
+| test.py:77 | simple.test | hub() | no attribute |  |
+| test.py:77 | simple.test | t | no attribute |  |
+| test.py:78 | simple.test | SSA variable t | no attribute |  |
+| test.py:78 | simple.test | t | no attribute |  |
+| test.py:85 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:85 | simple.test | ImportExpr | attribute dangerous |  |
+| test.py:87 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:88 | simple.test | Attribute | no attribute |  |
+| test.py:88 | simple.test | SSA variable t | no attribute |  |
+| test.py:88 | simple.test | module | attribute dangerous |  |
+| test.py:89 | simple.test | SSA variable t | no attribute |  |
+| test.py:89 | simple.test | t | no attribute |  |
+| test.py:91 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:92 | simple.test | module | attribute dangerous |  |
+| test.py:95 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:96 | simple.test | module | attribute dangerous |  |
+| test.py:99 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:100 | simple.test | Attribute() | no attribute |  |
+| test.py:100 | simple.test | SSA variable t | no attribute |  |
+| test.py:100 | simple.test | module | attribute dangerous |  |
+| test.py:101 | simple.test | SSA variable t | no attribute |  |
+| test.py:101 | simple.test | t | no attribute |  |
+| test.py:105 | simple.test | SSA variable arg | attribute x | p0.x = simple.test |
+| test.py:105 | simple.test | arg | attribute x | p0.x = simple.test |
+| test.py:106 | simple.test | Attribute | no attribute | p0.x = simple.test |
+| test.py:106 | simple.test | arg | attribute x | p0.x = simple.test |
+| test.py:108 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:110 | simple.test | Attribute | no attribute |  |
+| test.py:110 | simple.test | SSA variable t | attribute x |  |
+| test.py:110 | simple.test | module | attribute dangerous |  |
+| test.py:111 | simple.test | Attribute | no attribute |  |
+| test.py:111 | simple.test | t | attribute x |  |
+| test.py:113 | simple.test | GSSA Variable module | attribute dangerous |  |
+| test.py:115 | simple.test | Attribute | no attribute |  |
+| test.py:115 | simple.test | SSA variable t | attribute x |  |
+| test.py:115 | simple.test | module | attribute dangerous |  |
+| test.py:116 | simple.test | SSA variable t | attribute x |  |
+| test.py:116 | simple.test | hub() | attribute x |  |
+| test.py:116 | simple.test | t | attribute x |  |
+| test.py:117 | simple.test | SSA variable t | attribute x |  |
+| test.py:117 | simple.test | t | attribute x |  |
+| test.py:120 | simple.test | CUSTOM_SOURCE | no attribute |  |
+| test.py:120 | simple.test | SSA variable t | no attribute |  |
+| test.py:121 | simple.test | t | no attribute |  |
+| test.py:126 | simple.test | CUSTOM_SOURCE | no attribute |  |
+| test.py:126 | simple.test | SSA variable t | no attribute |  |
+| test.py:128 | simple.test | SOURCE | no attribute |  |
+| test.py:128 | simple.test | SSA variable t | no attribute |  |
+| test.py:130 | simple.test | SSA variable t | no attribute |  |
+| test.py:130 | simple.test | t | no attribute |  |
+| test.py:132 | simple.test | SSA variable t | no attribute |  |
+| test.py:132 | simple.test | t | no attribute |  |
+| test.py:136 | simple.test | CUSTOM_SOURCE | no attribute |  |
+| test.py:136 | simple.test | SSA variable t | no attribute |  |
+| test.py:138 | simple.test | SOURCE | no attribute |  |
+| test.py:138 | simple.test | SSA variable t | no attribute |  |
+| test.py:140 | simple.test | SSA variable t | no attribute |  |
+| test.py:140 | simple.test | t | no attribute |  |
+| test.py:142 | simple.test | SSA variable t | no attribute |  |
+| test.py:142 | simple.test | t | no attribute |  |
+| test.py:146 | simple.test | CUSTOM_SOURCE | no attribute |  |
+| test.py:146 | simple.test | SSA variable t | no attribute |  |
+| test.py:148 | simple.test | SOURCE | no attribute |  |
+| test.py:148 | simple.test | SSA variable t | no attribute |  |
+| test.py:149 | simple.test | t | no attribute |  |
+| test.py:155 | simple.test | GSSA Variable unsafe | no attribute |  |
+| test.py:155 | simple.test | ImportExpr | attribute dangerous |  |
+| test.py:155 | simple.test | ImportMember | no attribute |  |
+| test.py:156 | simple.test | GSSA Variable unsafe | no attribute |  |
+| test.py:156 | simple.test | unsafe | no attribute |  |
+| test.py:159 | simple.test | SOURCE | no attribute |  |
+| test.py:159 | simple.test | SSA variable t | no attribute |  |
+| test.py:160 | simple.test | SSA variable t | no attribute |  |
+| test.py:160 | simple.test | t | no attribute |  |
+| test.py:163 | simple.test | SOURCE | no attribute |  |
+| test.py:163 | simple.test | SSA variable s | no attribute |  |
+| test.py:164 | simple.test | SSA variable s | no attribute |  |
+| test.py:164 | simple.test | s | no attribute |  |
+| test.py:165 | simple.test | SSA variable s | no attribute |  |
+| test.py:165 | simple.test | s | no attribute |  |
+| test.py:168 | [simple.test] | List | no attribute |  |
+| test.py:168 | [simple.test] | SSA variable l | no attribute |  |
+| test.py:168 | simple.test | SOURCE | no attribute |  |
+| test.py:169 | simple.test | SOURCE | no attribute |  |
+| test.py:169 | {simple.test} | Dict | no attribute |  |
+| test.py:169 | {simple.test} | SSA variable d | no attribute |  |
+| test.py:170 | [simple.test] | SSA variable l | no attribute |  |
+| test.py:170 | [simple.test] | l | no attribute |  |
+| test.py:171 | {simple.test} | SSA variable d | no attribute |  |
+| test.py:171 | {simple.test} | d | no attribute |  |
+| test.py:174 | [simple.test] | SSA variable l | no attribute |  |
+| test.py:174 | [simple.test] | SSA variable l2 | no attribute |  |
+| test.py:174 | [simple.test] | l | no attribute |  |
+| test.py:174 | [simple.test] | list() | no attribute |  |
+| test.py:175 | {simple.test} | SSA variable d | no attribute |  |
+| test.py:175 | {simple.test} | SSA variable d2 | no attribute |  |
+| test.py:175 | {simple.test} | d | no attribute |  |
+| test.py:175 | {simple.test} | dict() | no attribute |  |
+| test.py:178 | simple.test | SOURCE | no attribute |  |
+| test.py:178 | simple.test | SSA variable t | no attribute |  |
+| test.py:179 | simple.test | t | no attribute |  |
+| test.py:180 | simple.test | SSA variable t | no attribute |  |
+| test.py:180 | simple.test | t | no attribute |  |
+| test.py:183 | simple.test | SSA variable t | no attribute |  |
+| test.py:183 | simple.test | t | no attribute |  |
+| test.py:186 | simple.test | SSA variable t | no attribute |  |
+| test.py:186 | simple.test | t | no attribute |  |
+| test.py:194 | simple.test | SSA variable t | no attribute |  |
+| test.py:195 | simple.test | SOURCE | no attribute |  |
+| test.py:195 | simple.test | SSA variable t | no attribute |  |
+| test.py:196 | simple.test | t | no attribute |  |
+| test.py:197 | simple.test | SSA variable t | no attribute |  |
+| test.py:197 | simple.test | t | no attribute |  |
+| test.py:199 | simple.test | SSA variable t | no attribute |  |
+| test.py:199 | simple.test | t | no attribute |  |
+| test.py:208 | [simple.test] | List | no attribute |  |
+| test.py:208 | [simple.test] | SSA variable seq | no attribute |  |
+| test.py:208 | simple.test | SOURCE | no attribute |  |
+| test.py:209 | [simple.test] | seq | no attribute |  |
+| test.py:209 | simple.test | For | no attribute |  |
+| test.py:209 | simple.test | SSA variable i | no attribute |  |
+| test.py:210 | simple.test | i | no attribute |  |
+| test.py:213 | [simple.test] | flow_in_generator() | no attribute |  |
+| test.py:213 | iterable.simple | flow_in_generator() | no attribute |  |
+| test.py:213 | simple.test | For | no attribute |  |
+| test.py:213 | simple.test | SSA variable x | no attribute |  |
+| test.py:214 | simple.test | SSA variable x | no attribute |  |
+| test.py:214 | simple.test | x | no attribute |  |
--- a/python/ql/test/library-tests/taint/config/TestNode.ql
+++ b/python/ql/test/library-tests/taint/config/TestNode.ql
@@ -0,0 +1,10 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.dataflow.Implementation
+import TaintLib
+
+
+from TaintTrackingNode n
+where n.getConfiguration() instanceof TestConfig
+select n.getLocation().toString(), n.getTaintKind(), n.getNode().toString(), n.getPath().toString(), n.getContext().toString()
+
--- a/python/ql/test/library-tests/taint/config/TestSink.expected
+++ b/python/ql/test/library-tests/taint/config/TestSink.expected
@@ -0,0 +1,80 @@
+| carrier.py:18 | Simple config | Attribute | simple.test |
+| carrier.py:18 | Taint carrier config | Attribute | simple.test |
+| carrier.py:22 | Simple config | Attribute() | simple.test |
+| carrier.py:22 | Taint carrier config | Attribute() | simple.test |
+| carrier.py:26 | Simple config | Attribute() | simple.test |
+| carrier.py:26 | Taint carrier config | Attribute() | simple.test |
+| carrier.py:30 | Simple config | Attribute() | simple.test |
+| carrier.py:30 | Taint carrier config | Attribute() | simple.test |
+| carrier.py:35 | Simple config | Attribute() | simple.test |
+| carrier.py:35 | Taint carrier config | Attribute() | simple.test |
+| deep.py:22 | Simple config | x | simple.test |
+| deep.py:22 | Taint carrier config | x | simple.test |
+| rockpaperscissors.py:13 | Rock-paper-scissors config | SCISSORS | scissors |
+| rockpaperscissors.py:16 | Rock-paper-scissors config | ROCK | rock |
+| rockpaperscissors.py:21 | Rock-paper-scissors config | y | paper |
+| rockpaperscissors.py:26 | Rock-paper-scissors config | y | paper |
+| rockpaperscissors.py:31 | Rock-paper-scissors config | x | rock |
+| rockpaperscissors.py:32 | Rock-paper-scissors config | y | rock |
+| test.py:3 | Simple config | SOURCE | simple.test |
+| test.py:3 | Taint carrier config | SOURCE | simple.test |
+| test.py:7 | Simple config | s | simple.test |
+| test.py:7 | Taint carrier config | s | simple.test |
+| test.py:13 | Simple config | arg | simple.test |
+| test.py:13 | Taint carrier config | arg | simple.test |
+| test.py:17 | Simple config | t | simple.test |
+| test.py:17 | Taint carrier config | t | simple.test |
+| test.py:33 | Simple config | t | simple.test |
+| test.py:33 | Taint carrier config | t | simple.test |
+| test.py:41 | Simple config | t | simple.test |
+| test.py:41 | Taint carrier config | t | simple.test |
+| test.py:78 | Simple config | t | simple.test |
+| test.py:78 | Taint carrier config | t | simple.test |
+| test.py:83 | Simple config | t | simple.test |
+| test.py:83 | Taint carrier config | t | simple.test |
+| test.py:89 | Simple config | t | simple.test |
+| test.py:89 | Taint carrier config | t | simple.test |
+| test.py:93 | Simple config | t | simple.test |
+| test.py:93 | Taint carrier config | t | simple.test |
+| test.py:97 | Simple config | t | simple.test |
+| test.py:97 | Taint carrier config | t | simple.test |
+| test.py:101 | Simple config | t | simple.test |
+| test.py:101 | Taint carrier config | t | simple.test |
+| test.py:106 | Simple config | Attribute | simple.test |
+| test.py:106 | Taint carrier config | Attribute | simple.test |
+| test.py:111 | Simple config | Attribute | simple.test |
+| test.py:111 | Taint carrier config | Attribute | simple.test |
+| test.py:122 | Basic custom config | t | simple.test |
+| test.py:130 | Basic custom config | t | simple.test |
+| test.py:132 | Simple config | t | simple.test |
+| test.py:132 | Taint carrier config | t | simple.test |
+| test.py:140 | Basic custom config | t | simple.test |
+| test.py:142 | Simple config | t | simple.test |
+| test.py:142 | Taint carrier config | t | simple.test |
+| test.py:151 | Basic custom config | t | simple.test |
+| test.py:153 | Simple config | t | simple.test |
+| test.py:153 | Taint carrier config | t | simple.test |
+| test.py:156 | Simple config | unsafe | simple.test |
+| test.py:156 | Taint carrier config | unsafe | simple.test |
+| test.py:160 | Simple config | t | simple.test |
+| test.py:160 | Taint carrier config | t | simple.test |
+| test.py:165 | Simple config | s | simple.test |
+| test.py:165 | Taint carrier config | s | simple.test |
+| test.py:172 | Simple config | Subscript | simple.test |
+| test.py:172 | Taint carrier config | Subscript | simple.test |
+| test.py:173 | Simple config | Subscript | simple.test |
+| test.py:173 | Taint carrier config | Subscript | simple.test |
+| test.py:180 | Simple config | t | simple.test |
+| test.py:180 | Taint carrier config | t | simple.test |
+| test.py:182 | Simple config | t | simple.test |
+| test.py:182 | Taint carrier config | t | simple.test |
+| test.py:184 | Simple config | t | simple.test |
+| test.py:184 | Taint carrier config | t | simple.test |
+| test.py:186 | Simple config | t | simple.test |
+| test.py:186 | Taint carrier config | t | simple.test |
+| test.py:197 | Simple config | t | simple.test |
+| test.py:197 | Taint carrier config | t | simple.test |
+| test.py:199 | Simple config | t | simple.test |
+| test.py:199 | Taint carrier config | t | simple.test |
+| test.py:214 | Simple config | x | simple.test |
+| test.py:214 | Taint carrier config | x | simple.test |
--- a/python/ql/test/library-tests/taint/config/TestSink.ql
+++ b/python/ql/test/library-tests/taint/config/TestSink.ql
@@ -0,0 +1,8 @@
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+
+from TestConfig config, DataFlow::Node sink, TaintKind kind
+
+where config.isSink(sink, kind)
+select sink.getLocation().toString(), config, sink.toString(), kind
--- a/python/ql/test/library-tests/taint/config/TestSource.expected
+++ b/python/ql/test/library-tests/taint/config/TestSource.expected
@@ -0,0 +1,37 @@
+| Basic custom config | test.py:120 | 120 | CUSTOM_SOURCE | simple.test |
+| Basic custom config | test.py:126 | 126 | CUSTOM_SOURCE | simple.test |
+| Basic custom config | test.py:136 | 136 | CUSTOM_SOURCE | simple.test |
+| Basic custom config | test.py:146 | 146 | CUSTOM_SOURCE | simple.test |
+| Rock-paper-scissors config | rockpaperscissors.py:13 | 13 | SCISSORS | scissors |
+| Rock-paper-scissors config | rockpaperscissors.py:16 | 16 | ROCK | rock |
+| Rock-paper-scissors config | rockpaperscissors.py:19 | 19 | ROCK | rock |
+| Rock-paper-scissors config | rockpaperscissors.py:24 | 24 | ROCK | rock |
+| Rock-paper-scissors config | rockpaperscissors.py:29 | 29 | SCISSORS | scissors |
+| Simple config | carrier.py:17 | 17 | SOURCE | simple.test |
+| Simple config | carrier.py:25 | 25 | SOURCE | simple.test |
+| Simple config | deep.py:20 | 20 | SOURCE | simple.test |
+| Simple config | module.py:3 | 3 | SOURCE | simple.test |
+| Simple config | module.py:7 | 7 | SOURCE | simple.test |
+| Simple config | module.py:10 | 10 | SOURCE | simple.test |
+| Simple config | test.py:3 | 3 | SOURCE | simple.test |
+| Simple config | test.py:6 | 6 | SOURCE | simple.test |
+| Simple config | test.py:10 | 10 | SOURCE | simple.test |
+| Simple config | test.py:20 | 20 | SOURCE | simple.test |
+| Simple config | test.py:31 | 31 | SOURCE | simple.test |
+| Simple config | test.py:37 | 37 | SOURCE | simple.test |
+| Simple config | test.py:62 | 62 | SOURCE | simple.test |
+| Simple config | test.py:67 | 67 | SOURCE | simple.test |
+| Simple config | test.py:76 | 76 | SOURCE | simple.test |
+| Simple config | test.py:128 | 128 | SOURCE | simple.test |
+| Simple config | test.py:138 | 138 | SOURCE | simple.test |
+| Simple config | test.py:148 | 148 | SOURCE | simple.test |
+| Simple config | test.py:159 | 159 | SOURCE | simple.test |
+| Simple config | test.py:163 | 163 | SOURCE | simple.test |
+| Simple config | test.py:168 | 168 | SOURCE | simple.test |
+| Simple config | test.py:169 | 169 | SOURCE | simple.test |
+| Simple config | test.py:178 | 178 | SOURCE | simple.test |
+| Simple config | test.py:195 | 195 | SOURCE | simple.test |
+| Simple config | test.py:208 | 208 | SOURCE | simple.test |
+| Taint carrier config | carrier.py:21 | 21 | TAINT_CARRIER_SOURCE | explicit.carrier |
+| Taint carrier config | carrier.py:29 | 29 | TAINT_CARRIER_SOURCE | explicit.carrier |
+| Taint carrier config | carrier.py:33 | 33 | TAINT_CARRIER_SOURCE | explicit.carrier |
--- a/python/ql/test/library-tests/taint/config/TestSource.ql
+++ b/python/ql/test/library-tests/taint/config/TestSource.ql
@@ -0,0 +1,8 @@
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+
+from TestConfig config, DataFlow::Node source, TaintKind kind
+
+where config.isSource(source, kind)
+select config, source.getLocation().toString(), source.getLocation().getStartLine(), source.toString(), kind
--- a/python/ql/test/library-tests/taint/config/TestStep.expected
+++ b/python/ql/test/library-tests/taint/config/TestStep.expected
@@ -0,0 +1,158 @@
+| Basic custom config: | simple.test | test.py:120 | CUSTOM_SOURCE |  |  -->  | simple.test | test.py:121 | t |  |
+| Basic custom config: | simple.test | test.py:126 | CUSTOM_SOURCE |  |  -->  | simple.test | test.py:130 | t |  |
+| Basic custom config: | simple.test | test.py:136 | CUSTOM_SOURCE |  |  -->  | simple.test | test.py:142 | t |  |
+| Basic custom config: | simple.test | test.py:146 | CUSTOM_SOURCE |  |  -->  | simple.test | test.py:149 | t |  |
+| Rock-paper-scissors config: | paper | rockpaperscissors.py:25 | Attribute() |  |  -->  | paper | rockpaperscissors.py:26 | y |  |
+| Rock-paper-scissors config: | paper | rockpaperscissors.py:26 | y |  |  -->  | paper | rockpaperscissors.py:9 | arg | p0 = paper |
+| Rock-paper-scissors config: | paper | rockpaperscissors.py:30 | Attribute() |  |  -->  | paper | rockpaperscissors.py:32 | y |  |
+| Rock-paper-scissors config: | paper | rockpaperscissors.py:32 | y |  |  -->  | paper | rockpaperscissors.py:6 | arg | p0 = paper |
+| Rock-paper-scissors config: | rock | rockpaperscissors.py:16 | ROCK |  |  -->  | rock | rockpaperscissors.py:6 | arg | p0 = rock |
+| Rock-paper-scissors config: | rock | rockpaperscissors.py:19 | ROCK |  |  -->  | rock | rockpaperscissors.py:20 | x |  |
+| Rock-paper-scissors config: | rock | rockpaperscissors.py:20 | x |  |  -->  | scissors | rockpaperscissors.py:20 | Attribute() |  |
+| Rock-paper-scissors config: | rock | rockpaperscissors.py:24 | ROCK |  |  -->  | rock | rockpaperscissors.py:25 | x |  |
+| Rock-paper-scissors config: | rock | rockpaperscissors.py:25 | x |  |  -->  | scissors | rockpaperscissors.py:25 | Attribute() |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:13 | SCISSORS |  |  -->  | scissors | rockpaperscissors.py:3 | arg | p0 = scissors |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:20 | Attribute() |  |  -->  | scissors | rockpaperscissors.py:21 | y |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:21 | y |  |  -->  | scissors | rockpaperscissors.py:9 | arg | p0 = scissors |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:25 | Attribute() |  |  -->  | paper | rockpaperscissors.py:25 | Attribute() |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:29 | SCISSORS |  |  -->  | scissors | rockpaperscissors.py:30 | x |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:29 | SCISSORS |  |  -->  | scissors | rockpaperscissors.py:31 | x |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:30 | x |  |  -->  | paper | rockpaperscissors.py:30 | Attribute() |  |
+| Rock-paper-scissors config: | scissors | rockpaperscissors.py:31 | x |  |  -->  | scissors | rockpaperscissors.py:6 | arg | p0 = scissors |
+| Simple config: | [simple.test] | test.py:168 | List |  |  -->  | [simple.test] | test.py:170 | l |  |
+| Simple config: | [simple.test] | test.py:168 | List |  |  -->  | [simple.test] | test.py:174 | l |  |
+| Simple config: | [simple.test] | test.py:174 | l |  |  -->  | [simple.test] | test.py:174 | list() |  |
+| Simple config: | [simple.test] | test.py:208 | List |  |  -->  | [simple.test] | test.py:209 | seq |  |
+| Simple config: | [simple.test] | test.py:209 | seq |  |  -->  | simple.test | test.py:209 | For |  |
+| Simple config: | [simple.test] | test.py:213 | flow_in_generator() |  |  -->  | simple.test | test.py:213 | For |  |
+| Simple config: | iterable.simple | test.py:213 | flow_in_generator() |  |  -->  | simple.test | test.py:213 | For |  |
+| Simple config: | simple.test | carrier.py:4 | arg | p1 = simple.test |  -->  | simple.test | carrier.py:5 | arg | p1 = simple.test |
+| Simple config: | simple.test | carrier.py:10 | self | p0.attr = simple.test |  -->  | simple.test | carrier.py:11 | self | p0.attr = simple.test |
+| Simple config: | simple.test | carrier.py:11 | self | p0.attr = simple.test |  -->  | simple.test | carrier.py:11 | Attribute | p0.attr = simple.test |
+| Simple config: | simple.test | carrier.py:13 | arg | p0.attr = simple.test |  -->  | simple.test | carrier.py:14 | arg | p0.attr = simple.test |
+| Simple config: | simple.test | carrier.py:17 | ImplicitCarrier() |  |  -->  | simple.test | carrier.py:18 | c |  |
+| Simple config: | simple.test | carrier.py:17 | SOURCE |  |  -->  | simple.test | carrier.py:4 | arg | p1 = simple.test |
+| Simple config: | simple.test | carrier.py:17 | SOURCE |  |  -->  | simple.test | carrier.py:17 | ImplicitCarrier() |  |
+| Simple config: | simple.test | carrier.py:18 | c |  |  -->  | simple.test | carrier.py:18 | Attribute |  |
+| Simple config: | simple.test | carrier.py:25 | ImplicitCarrier() |  |  -->  | simple.test | carrier.py:13 | arg | p0.attr = simple.test |
+| Simple config: | simple.test | carrier.py:25 | ImplicitCarrier() |  |  -->  | simple.test | carrier.py:25 | hub() |  |
+| Simple config: | simple.test | carrier.py:25 | SOURCE |  |  -->  | simple.test | carrier.py:4 | arg | p1 = simple.test |
+| Simple config: | simple.test | carrier.py:25 | SOURCE |  |  -->  | simple.test | carrier.py:25 | ImplicitCarrier() |  |
+| Simple config: | simple.test | carrier.py:25 | hub() |  |  -->  | simple.test | carrier.py:26 | c |  |
+| Simple config: | simple.test | carrier.py:26 | c |  |  -->  | simple.test | carrier.py:10 | self | p0.attr = simple.test |
+| Simple config: | simple.test | carrier.py:26 | c |  |  -->  | simple.test | carrier.py:26 | Attribute() |  |
+| Simple config: | simple.test | deep.py:2 | arg | p0 = simple.test |  -->  | simple.test | deep.py:3 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:5 | arg | p0 = simple.test |  -->  | simple.test | deep.py:6 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:6 | arg | p0 = simple.test |  -->  | simple.test | deep.py:2 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:6 | arg | p0 = simple.test |  -->  | simple.test | deep.py:6 | f1() | p0 = simple.test |
+| Simple config: | simple.test | deep.py:8 | arg | p0 = simple.test |  -->  | simple.test | deep.py:9 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:9 | arg | p0 = simple.test |  -->  | simple.test | deep.py:5 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:9 | arg | p0 = simple.test |  -->  | simple.test | deep.py:9 | f2() | p0 = simple.test |
+| Simple config: | simple.test | deep.py:11 | arg | p0 = simple.test |  -->  | simple.test | deep.py:12 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:12 | arg | p0 = simple.test |  -->  | simple.test | deep.py:8 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:12 | arg | p0 = simple.test |  -->  | simple.test | deep.py:12 | f3() | p0 = simple.test |
+| Simple config: | simple.test | deep.py:14 | arg | p0 = simple.test |  -->  | simple.test | deep.py:15 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:15 | arg | p0 = simple.test |  -->  | simple.test | deep.py:11 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:15 | arg | p0 = simple.test |  -->  | simple.test | deep.py:15 | f4() | p0 = simple.test |
+| Simple config: | simple.test | deep.py:17 | arg | p0 = simple.test |  -->  | simple.test | deep.py:18 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:18 | arg | p0 = simple.test |  -->  | simple.test | deep.py:14 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:18 | arg | p0 = simple.test |  -->  | simple.test | deep.py:18 | f5() | p0 = simple.test |
+| Simple config: | simple.test | deep.py:20 | SOURCE |  |  -->  | simple.test | deep.py:17 | arg | p0 = simple.test |
+| Simple config: | simple.test | deep.py:20 | SOURCE |  |  -->  | simple.test | deep.py:20 | f6() |  |
+| Simple config: | simple.test | deep.py:20 | f6() |  |  -->  | simple.test | deep.py:22 | x |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:85 | ImportExpr |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:88 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:92 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:96 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:100 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:110 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:115 | module |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:155 | ImportExpr |  |
+| Simple config: | simple.test | module.py:3 | SOURCE |  |  -->  | simple.test | test.py:155 | ImportMember |  |
+| Simple config: | simple.test | module.py:7 | SOURCE |  |  -->  | simple.test | test.py:100 | Attribute() |  |
+| Simple config: | simple.test | test.py:6 | SOURCE |  |  -->  | simple.test | test.py:7 | s |  |
+| Simple config: | simple.test | test.py:10 | SOURCE |  |  -->  | simple.test | test.py:16 | source() |  |
+| Simple config: | simple.test | test.py:10 | SOURCE |  |  -->  | simple.test | test.py:24 | source() |  |
+| Simple config: | simple.test | test.py:10 | SOURCE |  |  -->  | simple.test | test.py:44 | source() |  |
+| Simple config: | simple.test | test.py:12 | arg | p0 = simple.test |  -->  | simple.test | test.py:13 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:16 | source() |  |  -->  | simple.test | test.py:17 | t |  |
+| Simple config: | simple.test | test.py:20 | SOURCE |  |  -->  | simple.test | test.py:21 | t |  |
+| Simple config: | simple.test | test.py:21 | t |  |  -->  | simple.test | test.py:12 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:24 | source() |  |  -->  | simple.test | test.py:25 | t |  |
+| Simple config: | simple.test | test.py:25 | t |  |  -->  | simple.test | test.py:12 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:37 | SOURCE |  |  -->  | simple.test | test.py:41 | t |  |
+| Simple config: | simple.test | test.py:44 | source() |  |  -->  | simple.test | test.py:54 | source2() |  |
+| Simple config: | simple.test | test.py:46 | arg | p0 = simple.test |  -->  | simple.test | test.py:47 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:47 | arg | p0 = simple.test |  -->  | simple.test | test.py:12 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:49 | arg | p1 = simple.test |  -->  | simple.test | test.py:51 | arg | p1 = simple.test |
+| Simple config: | simple.test | test.py:51 | arg | p1 = simple.test |  -->  | simple.test | test.py:12 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:54 | source2() |  |  -->  | simple.test | test.py:55 | t |  |
+| Simple config: | simple.test | test.py:55 | t |  |  -->  | simple.test | test.py:46 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:62 | SOURCE |  |  -->  | simple.test | test.py:63 | t |  |
+| Simple config: | simple.test | test.py:63 | t |  |  -->  | simple.test | test.py:49 | arg | p1 = simple.test |
+| Simple config: | simple.test | test.py:67 | SOURCE |  |  -->  | simple.test | test.py:70 | t |  |
+| Simple config: | simple.test | test.py:70 | t |  |  -->  | simple.test | test.py:49 | arg | p1 = simple.test |
+| Simple config: | simple.test | test.py:72 | arg | p0 = simple.test |  -->  | simple.test | test.py:73 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:72 | arg | p0.x = simple.test |  -->  | simple.test | test.py:73 | arg | p0.x = simple.test |
+| Simple config: | simple.test | test.py:76 | SOURCE |  |  -->  | simple.test | test.py:77 | t |  |
+| Simple config: | simple.test | test.py:77 | hub() |  |  -->  | simple.test | test.py:78 | t |  |
+| Simple config: | simple.test | test.py:77 | t |  |  -->  | simple.test | test.py:72 | arg | p0 = simple.test |
+| Simple config: | simple.test | test.py:77 | t |  |  -->  | simple.test | test.py:77 | hub() |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:88 | module |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:92 | module |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:96 | module |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:100 | module |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:110 | module |  |
+| Simple config: | simple.test | test.py:85 | ImportExpr |  |  -->  | simple.test | test.py:115 | module |  |
+| Simple config: | simple.test | test.py:88 | Attribute |  |  -->  | simple.test | test.py:89 | t |  |
+| Simple config: | simple.test | test.py:88 | module |  |  -->  | simple.test | test.py:88 | Attribute |  |
+| Simple config: | simple.test | test.py:100 | Attribute() |  |  -->  | simple.test | test.py:101 | t |  |
+| Simple config: | simple.test | test.py:105 | arg | p0.x = simple.test |  -->  | simple.test | test.py:106 | arg | p0.x = simple.test |
+| Simple config: | simple.test | test.py:106 | arg | p0.x = simple.test |  -->  | simple.test | test.py:106 | Attribute | p0.x = simple.test |
+| Simple config: | simple.test | test.py:110 | Attribute |  |  -->  | simple.test | test.py:111 | t |  |
+| Simple config: | simple.test | test.py:110 | module |  |  -->  | simple.test | test.py:110 | Attribute |  |
+| Simple config: | simple.test | test.py:111 | t |  |  -->  | simple.test | test.py:111 | Attribute |  |
+| Simple config: | simple.test | test.py:115 | Attribute |  |  -->  | simple.test | test.py:116 | t |  |
+| Simple config: | simple.test | test.py:115 | module |  |  -->  | simple.test | test.py:115 | Attribute |  |
+| Simple config: | simple.test | test.py:116 | hub() |  |  -->  | simple.test | test.py:117 | t |  |
+| Simple config: | simple.test | test.py:116 | t |  |  -->  | simple.test | test.py:72 | arg | p0.x = simple.test |
+| Simple config: | simple.test | test.py:116 | t |  |  -->  | simple.test | test.py:116 | hub() |  |
+| Simple config: | simple.test | test.py:117 | t |  |  -->  | simple.test | test.py:105 | arg | p0.x = simple.test |
+| Simple config: | simple.test | test.py:128 | SOURCE |  |  -->  | simple.test | test.py:132 | t |  |
+| Simple config: | simple.test | test.py:138 | SOURCE |  |  -->  | simple.test | test.py:140 | t |  |
+| Simple config: | simple.test | test.py:148 | SOURCE |  |  -->  | simple.test | test.py:149 | t |  |
+| Simple config: | simple.test | test.py:155 | ImportMember |  |  -->  | simple.test | test.py:156 | unsafe |  |
+| Simple config: | simple.test | test.py:159 | SOURCE |  |  -->  | simple.test | test.py:160 | t |  |
+| Simple config: | simple.test | test.py:163 | SOURCE |  |  -->  | simple.test | test.py:164 | s |  |
+| Simple config: | simple.test | test.py:163 | SOURCE |  |  -->  | simple.test | test.py:165 | s |  |
+| Simple config: | simple.test | test.py:168 | SOURCE |  |  -->  | [simple.test] | test.py:168 | List |  |
+| Simple config: | simple.test | test.py:169 | SOURCE |  |  -->  | {simple.test} | test.py:169 | Dict |  |
+| Simple config: | simple.test | test.py:178 | SOURCE |  |  -->  | simple.test | test.py:179 | t |  |
+| Simple config: | simple.test | test.py:178 | SOURCE |  |  -->  | simple.test | test.py:180 | t |  |
+| Simple config: | simple.test | test.py:178 | SOURCE |  |  -->  | simple.test | test.py:183 | t |  |
+| Simple config: | simple.test | test.py:178 | SOURCE |  |  -->  | simple.test | test.py:186 | t |  |
+| Simple config: | simple.test | test.py:195 | SOURCE |  |  -->  | simple.test | test.py:196 | t |  |
+| Simple config: | simple.test | test.py:195 | SOURCE |  |  -->  | simple.test | test.py:197 | t |  |
+| Simple config: | simple.test | test.py:195 | SOURCE |  |  -->  | simple.test | test.py:199 | t |  |
+| Simple config: | simple.test | test.py:208 | SOURCE |  |  -->  | [simple.test] | test.py:208 | List |  |
+| Simple config: | simple.test | test.py:209 | For |  |  -->  | simple.test | test.py:210 | i |  |
+| Simple config: | simple.test | test.py:210 | i |  |  -->  | [simple.test] | test.py:213 | flow_in_generator() |  |
+| Simple config: | simple.test | test.py:210 | i |  |  -->  | iterable.simple | test.py:213 | flow_in_generator() |  |
+| Simple config: | simple.test | test.py:213 | For |  |  -->  | simple.test | test.py:214 | x |  |
+| Simple config: | {simple.test} | test.py:169 | Dict |  |  -->  | {simple.test} | test.py:171 | d |  |
+| Simple config: | {simple.test} | test.py:169 | Dict |  |  -->  | {simple.test} | test.py:175 | d |  |
+| Simple config: | {simple.test} | test.py:175 | d |  |  -->  | {simple.test} | test.py:175 | dict() |  |
+| Taint carrier config: | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier |  -->  | explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier |
+| Taint carrier config: | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier |  -->  | explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier |
+| Taint carrier config: | explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE |  |  -->  | explicit.carrier | carrier.py:22 | c |  |
+| Taint carrier config: | explicit.carrier | carrier.py:22 | c |  |  -->  | simple.test | carrier.py:22 | Attribute() |  |
+| Taint carrier config: | explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  |  -->  | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier |
+| Taint carrier config: | explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  |  -->  | explicit.carrier | carrier.py:29 | hub() |  |
+| Taint carrier config: | explicit.carrier | carrier.py:29 | hub() |  |  -->  | explicit.carrier | carrier.py:30 | c |  |
+| Taint carrier config: | explicit.carrier | carrier.py:30 | c |  |  -->  | simple.test | carrier.py:30 | Attribute() |  |
+| Taint carrier config: | explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |  -->  | explicit.carrier | carrier.py:34 | c |  |
+| Taint carrier config: | explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  |  -->  | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier |
+| Taint carrier config: | explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  |  -->  | explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |
+| Taint carrier config: | explicit.carrier | carrier.py:34 | Attribute |  |  -->  | explicit.carrier | carrier.py:35 | x |  |
+| Taint carrier config: | explicit.carrier | carrier.py:34 | c |  |  -->  | explicit.carrier | carrier.py:34 | Attribute |  |
+| Taint carrier config: | explicit.carrier | carrier.py:35 | x |  |  -->  | simple.test | carrier.py:35 | Attribute() |  |
--- a/python/ql/test/library-tests/taint/config/TestStep.ql
+++ b/python/ql/test/library-tests/taint/config/TestStep.ql
@@ -0,0 +1,13 @@
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+import semmle.python.dataflow.Implementation
+
+
+from TaintTrackingNode n, TaintTrackingNode s, TestConfig config
+where s = n.getASuccessor() and config = n.getConfiguration()
+select 
+    config + ":", 
+    n.getTaintKind(), n.getLocation().toString(), n.getNode().toString(), n.getContext(),
+    " --> ",
+    s.getTaintKind(), s.getLocation().toString(), s.getNode().toString(), s.getContext()
--- a/python/ql/test/library-tests/taint/config/carrier.py
+++ b/python/ql/test/library-tests/taint/config/carrier.py
@@ -0,0 +1,35 @@
+
+class ImplicitCarrier(object):
+
+    def __init__(self, arg):
+        self.attr = arg
+
+    def set_attr(self, arg):
+        self.attr = arg
+
+    def get_attr(self):
+        return self.attr
+
+def hub(arg):
+    return arg
+
+def test1():
+    c = ImplicitCarrier(SOURCE)
+    SINK(c.attr)
+
+def test2():
+    c = TAINT_CARRIER_SOURCE
+    SINK(c.get_taint())
+
+def test3():
+    c = hub(ImplicitCarrier(SOURCE))
+    SINK(c.get_attr())
+
+def test4():
+    c = hub(TAINT_CARRIER_SOURCE)
+    SINK(c.get_taint())
+
+def test5():
+    c = ImplicitCarrier(TAINT_CARRIER_SOURCE)
+    x = c.attr
+    SINK(x.get_taint())
--- a/python/ql/test/library-tests/taint/config/deep.py
+++ b/python/ql/test/library-tests/taint/config/deep.py
@@ -0,0 +1,23 @@
+
+def f1(arg):
+    return arg
+
+def f2(arg):
+    return f1(arg)
+
+def f3(arg):
+    return f2(arg)
+
+def f4(arg):
+    return f3(arg)
+
+def f5(arg):
+    return f4(arg)
+
+def f6(arg):
+    return f5(arg)
+
+x = f6(SOURCE)
+
+SINK(x)
+
--- a/python/ql/test/library-tests/taint/config/module.py
+++ b/python/ql/test/library-tests/taint/config/module.py
@@ -0,0 +1,11 @@
+
+
+dangerous = SOURCE
+safe = "safe"
+
+def dangerous_func():
+    return SOURCE
+
+
+safe2 = SOURCE
+safe2 = "safe"
--- a/python/ql/test/library-tests/taint/config/rockpaperscissors.py
+++ b/python/ql/test/library-tests/taint/config/rockpaperscissors.py
@@ -0,0 +1,32 @@
+
+
+def rock(arg):
+    "SCISSORS are vulnerable"
+
+def paper(arg):
+    "ROCK is vulnerable"
+
+def scissors(arg):
+    "PAPER is vulnerable"
+
+def test1():
+    rock(SCISSORS)
+
+def test2():
+    paper(ROCK)
+
+def test3():
+    x = ROCK
+    y = x.prev() #scissors
+    scissors(y)
+
+def test4():
+    x = ROCK
+    y = x.prev().prev() # paper
+    scissors(y)
+
+def test5():
+    x = SCISSORS
+    y = x.prev() # paper
+    paper(x)
+    paper(y)
--- a/python/ql/test/library-tests/taint/config/sanitizer.py
+++ b/python/ql/test/library-tests/taint/config/sanitizer.py
@@ -0,0 +1,36 @@
+
+#Sanitizer functions
+def isEscapedSql(arg): pass
+
+def isValidCommand(arg): pass
+
+
+def sql_inject1():
+    x = user_input()
+    if isEscapedSql(x):
+        sql_query(x)  # Safe
+    else:
+        sql_query(x)  # DANGEROUS
+
+def command_inject1():
+    x = user_input()
+    if isValidCommand(x):
+        os_command(x)  # Safe
+    else:
+        os_command(x)  # DANGEROUS
+
+
+def sql_inject2():
+    x = user_input()
+    if notASanitizer(x):
+        sql_query(x)  # DANGEROUS
+    else:
+        sql_query(x)  # DANGEROUS
+
+def command_inject2():
+    x = user_input()
+    if notASanitizer(x):
+        os_command(x)  # DANGEROUS
+    else:
+        os_command(x)  # DANGEROUS
+
--- a/python/ql/test/library-tests/taint/config/test.py
+++ b/python/ql/test/library-tests/taint/config/test.py
@@ -0,0 +1,215 @@
+
+def test1():
+    SINK(SOURCE)
+
+def test2():
+    s = SOURCE
+    SINK(s)
+
+def source():
+    return SOURCE
+
+def sink(arg):
+    SINK(arg)
+
+def test3():
+    t = source()
+    SINK(t)
+
+def test4():
+    t = SOURCE
+    sink(t)
+
+def test5():
+    t = source()
+    sink(t)
+
+def test6(cond):
+    if cond:
+        t = "Safe"
+    else:
+        t = SOURCE
+    if cond:
+        SINK(t)
+
+def test7(cond):
+    if cond:
+        t = SOURCE
+    else:
+        t = "Safe"
+    if cond:
+        SINK(t)
+
+def source2(arg):
+    return source(arg)
+
+def sink2(arg):
+    sink(arg)
+
+def sink3(cond, arg):
+    if cond:
+        sink(arg)
+
+def test8(cond):
+    t = source2()
+    sink2(t)
+
+#False positive
+def test9(cond):
+    if cond:
+        t  = "Safe"
+    else:
+        t = SOURCE
+    sink3(cond, t)
+
+def test10(cond):
+    if cond:
+        t = SOURCE
+    else:
+        t = "Safe"
+    sink3(cond, t)
+
+def hub(arg):
+    return arg
+
+def test11():
+    t = SOURCE
+    t = hub(t)
+    SINK(t)
+
+def test12():
+    t = "safe"
+    t = hub(t)
+    SINK(t)
+
+import module
+
+def test13():
+    t = module.dangerous
+    SINK(t)
+
+def test14():
+    t = module.safe
+    SINK(t)
+
+def test15():
+    t = module.safe2
+    SINK(t)
+
+def test16():
+    t = module.dangerous_func()
+    SINK(t)
+
+class C(object): pass
+
+def x_sink(arg):
+    SINK(arg.x)
+
+def test17():
+    t = C()
+    t.x = module.dangerous
+    SINK(t.x)
+
+def test18():
+    t = C()
+    t.x = module.dangerous
+    t = hub(t)
+    x_sink(t)
+
+def test19():
+    t = CUSTOM_SOURCE
+    t = hub(TAINT_FROM_ARG(t))
+    CUSTOM_SINK(t)
+
+def test20(cond):
+    if cond:
+        t = CUSTOM_SOURCE
+    else:
+        t = SOURCE
+    if cond:
+        CUSTOM_SINK(t)
+    else:
+        SINK(t)
+
+def test21(cond):
+    if cond:
+        t = CUSTOM_SOURCE
+    else:
+        t = SOURCE
+    if not cond:
+        CUSTOM_SINK(t)
+    else:
+        SINK(t)
+
+def test22(cond):
+    if cond:
+        t = CUSTOM_SOURCE
+    else:
+        t = SOURCE
+    t = TAINT_FROM_ARG(t)
+    if cond:
+        CUSTOM_SINK(t)
+    else:
+        SINK(t)
+
+from module import dangerous as unsafe
+SINK(unsafe)
+
+def test23():
+    with SOURCE as t:
+        SINK(t)
+
+def test24():
+    s = SOURCE
+    SANITIZE(s)
+    SINK(s)
+
+def test_update_extend(x, y):
+    l = [SOURCE]
+    d = {"key" : SOURCE}
+    x.extend(l)
+    y.update(d)
+    SINK(x[0])
+    SINK(y["key"])
+    l2 = list(l)
+    d2 = dict(d)
+
+def test_truth():
+    t = SOURCE
+    if t:
+        SINK(t)
+    else:
+        SINK(t)
+    if not t:
+        SINK(t)
+    else:
+        SINK(t)
+
+def test_early_exit():
+    t = FALSEY
+    if not t:
+        return
+    t
+
+def flow_through_type_test_if_no_class():
+    t = SOURCE
+    if isinstance(t, str):
+        SINK(t)
+    else:
+        SINK(t)
+
+def flow_in_iteration():
+    t = ITERABLE_SOURCE
+    for i in t:
+        i
+    return i
+
+def flow_in_generator():
+    seq = [SOURCE]
+    for i in seq:
+        yield i
+
+def flow_from_generator():
+    for x in flow_in_generator():
+        SINK(x)
+
--- a/python/ql/test/library-tests/taint/dataflow/Dataflow.expected
+++ b/python/ql/test/library-tests/taint/dataflow/Dataflow.expected
@@ -10,7 +10,5 @@
 | test.py:108:13:108:18 | ControlFlowNode for SOURCE | test.py:112:14:112:14 | ControlFlowNode for t |
 | test.py:139:10:139:15 | ControlFlowNode for SOURCE | test.py:140:14:140:14 | ControlFlowNode for t |
 | test.py:143:9:143:14 | ControlFlowNode for SOURCE | test.py:145:10:145:10 | ControlFlowNode for s |
-| test.py:148:10:148:15 | ControlFlowNode for SOURCE | test.py:152:10:152:13 | ControlFlowNode for Subscript |
-| test.py:149:18:149:23 | ControlFlowNode for SOURCE | test.py:153:10:153:17 | ControlFlowNode for Subscript |
 | test.py:158:9:158:14 | ControlFlowNode for SOURCE | test.py:160:14:160:14 | ControlFlowNode for t |
 | test.py:158:9:158:14 | ControlFlowNode for SOURCE | test.py:166:14:166:14 | ControlFlowNode for t |
--- a/python/ql/test/library-tests/taint/dataflow/TestNode.expected
+++ b/python/ql/test/library-tests/taint/dataflow/TestNode.expected
@@ -1,17 +1,10 @@
+WARNING: Predicate getNode has been deprecated and may be removed in future (TestNode.ql:5,77-84)
 | Taint Data flow | test.py:3 | SOURCE |  |
 | Taint Data flow | test.py:6 | SOURCE |  |
 | Taint Data flow | test.py:7 | s |  |
 | Taint Data flow | test.py:10 | SOURCE |  |
-| Taint Data flow | test.py:12 | arg | test.py:21 |
-| Taint Data flow | test.py:12 | arg | test.py:25 |
-| Taint Data flow | test.py:12 | arg | test.py:47 from test.py:55 |
-| Taint Data flow | test.py:12 | arg | test.py:51 from test.py:63 |
-| Taint Data flow | test.py:12 | arg | test.py:51 from test.py:70 |
-| Taint Data flow | test.py:13 | arg | test.py:21 |
-| Taint Data flow | test.py:13 | arg | test.py:25 |
-| Taint Data flow | test.py:13 | arg | test.py:47 from test.py:55 |
-| Taint Data flow | test.py:13 | arg | test.py:51 from test.py:63 |
-| Taint Data flow | test.py:13 | arg | test.py:51 from test.py:70 |
+| Taint Data flow | test.py:12 | arg | p0 = Data flow |
+| Taint Data flow | test.py:13 | arg | p0 = Data flow |
 | Taint Data flow | test.py:16 | source() |  |
 | Taint Data flow | test.py:17 | t |  |
 | Taint Data flow | test.py:20 | SOURCE |  |
@@ -22,20 +15,18 @@
 | Taint Data flow | test.py:37 | SOURCE |  |
 | Taint Data flow | test.py:41 | t |  |
 | Taint Data flow | test.py:44 | source() |  |
-| Taint Data flow | test.py:46 | arg | test.py:55 |
-| Taint Data flow | test.py:47 | arg | test.py:55 |
-| Taint Data flow | test.py:49 | arg | test.py:63 |
-| Taint Data flow | test.py:49 | arg | test.py:70 |
-| Taint Data flow | test.py:51 | arg | test.py:63 |
-| Taint Data flow | test.py:51 | arg | test.py:70 |
+| Taint Data flow | test.py:46 | arg | p0 = Data flow |
+| Taint Data flow | test.py:47 | arg | p0 = Data flow |
+| Taint Data flow | test.py:49 | arg | p1 = Data flow |
+| Taint Data flow | test.py:51 | arg | p1 = Data flow |
 | Taint Data flow | test.py:54 | source2() |  |
 | Taint Data flow | test.py:55 | t |  |
 | Taint Data flow | test.py:62 | SOURCE |  |
 | Taint Data flow | test.py:63 | t |  |
 | Taint Data flow | test.py:67 | SOURCE |  |
 | Taint Data flow | test.py:70 | t |  |
-| Taint Data flow | test.py:72 | arg | test.py:77 |
-| Taint Data flow | test.py:73 | arg | test.py:77 |
+| Taint Data flow | test.py:72 | arg | p0 = Data flow |
+| Taint Data flow | test.py:73 | arg | p0 = Data flow |
 | Taint Data flow | test.py:76 | SOURCE |  |
 | Taint Data flow | test.py:77 | hub() |  |
 | Taint Data flow | test.py:77 | t |  |
@@ -53,8 +44,6 @@
 | Taint Data flow | test.py:145 | s |  |
 | Taint Data flow | test.py:148 | SOURCE |  |
 | Taint Data flow | test.py:149 | SOURCE |  |
-| Taint Data flow | test.py:152 | Subscript |  |
-| Taint Data flow | test.py:153 | Subscript |  |
 | Taint Data flow | test.py:158 | SOURCE |  |
 | Taint Data flow | test.py:159 | t |  |
 | Taint Data flow | test.py:160 | t |  |
@@ -62,11 +51,9 @@
 | Taint Data flow | test.py:166 | t |  |
 | Taint [Data flow] | test.py:148 | List |  |
 | Taint [Data flow] | test.py:150 | l |  |
-| Taint [Data flow] | test.py:152 | x |  |
 | Taint [Data flow] | test.py:154 | l |  |
 | Taint [Data flow] | test.py:154 | list() |  |
 | Taint {Data flow} | test.py:149 | Dict |  |
 | Taint {Data flow} | test.py:151 | d |  |
-| Taint {Data flow} | test.py:153 | y |  |
 | Taint {Data flow} | test.py:155 | d |  |
 | Taint {Data flow} | test.py:155 | dict() |  |
--- a/python/ql/test/library-tests/taint/dataflow/TestNode.ql
+++ b/python/ql/test/library-tests/taint/dataflow/TestNode.ql
@@ -2,4 +2,4 @@ import python
 import Config

 from TaintedNode n
-select n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()
--- a/python/ql/test/library-tests/taint/example/DilbertConfig.qll
+++ b/python/ql/test/library-tests/taint/example/DilbertConfig.qll
@@ -0,0 +1,60 @@
+/**
+ * @kind path-problem
+ * 
+ * An example configuration.
+ * See ExampleConfiguration.expected for the results of running this query.
+ */
+
+import python
+import semmle.python.dataflow.Configuration
+
+/* First of all we set up some TaintKinds */
+
+class Engineer extends TaintKind {
+
+    Engineer() { this = "Wally" or this = "Dilbert" }
+
+}
+
+class Wally extends Engineer {
+
+    Wally() { this = "Wally" }
+
+}
+
+/** Then the configuration */
+
+class DilbertConfig extends TaintTracking::Configuration {
+
+    DilbertConfig() { this = "Dilbert config" }
+
+    override predicate isSource(DataFlow::Node node, TaintKind kind) {
+        node.asAstNode().(Name).getId() = "ENGINEER" and kind instanceof Engineer
+    }
+
+    override predicate isSink(DataFlow::Node node, TaintKind kind) {
+        /* Engineers hate meetings */
+        function_param("meeting", node) and kind instanceof Engineer
+    }
+
+    override predicate isBarrier(DataFlow::Node node, TaintKind kind) {
+        /* There is no way that Wally is working through lunch */
+        function_param("lunch", node) and kind instanceof Wally
+    }
+
+    override predicate isBarrier(DataFlow::Node node) {
+        /* Even the conscientious stop work if the building is on fire */
+        function_param("fire", node)
+    }
+
+}
+
+
+
+/** Helper predicate looking for `funcname(..., arg, ...)` */
+private predicate function_param(string funcname, DataFlow::Node arg) {
+    exists(Call call |
+        call.getFunc().(Name).getId() = funcname and
+        arg.asAstNode() = call.getAnArg()
+    )
+}
--- a/python/ql/test/library-tests/taint/example/Edges.expected
+++ b/python/ql/test/library-tests/taint/example/Edges.expected
@@ -0,0 +1,85 @@
+| 5: SSA variable worker = Dilbert (p1 = Dilbert)    | use        | 6: worker = Dilbert (p1 = Dilbert) |
+| 5: SSA variable worker = Wally (p1 = Wally)        | use        | 6: worker = Wally (p1 = Wally) |
+| 5: worker = Dilbert (p1 = Dilbert)                 | [dataflow] | 5: SSA variable worker = Dilbert (p1 = Dilbert) |
+| 5: worker = Wally (p1 = Wally)                     | [dataflow] | 5: SSA variable worker = Wally (p1 = Wally) |
+| 6: worker = Dilbert (p1 = Dilbert)                 | [dataflow] | 6: SSA variable self.worker = Dilbert (p1 = Dilbert) |
+| 6: worker = Wally (p1 = Wally)                     | [dataflow] | 6: SSA variable self.worker = Wally (p1 = Wally) |
+| 8: SSA variable worker = Dilbert (p0 = Dilbert)    | [dataflow] | 10: SSA variable worker = Dilbert (p0 = Dilbert) |
+| 8: SSA variable worker = Dilbert (p0 = Dilbert)    | use        | 10: worker = Dilbert (p0 = Dilbert) |
+| 8: SSA variable worker = Wally (p0 = Wally)        | [dataflow] | 10: SSA variable worker = Wally (p0 = Wally) |
+| 8: SSA variable worker = Wally (p0 = Wally)        | use        | 10: worker = Wally (p0 = Wally) |
+| 8: worker = Dilbert (p0 = Dilbert)                 | [dataflow] | 8: SSA variable worker = Dilbert (p0 = Dilbert) |
+| 8: worker = Wally (p0 = Wally)                     | [dataflow] | 8: SSA variable worker = Wally (p0 = Wally) |
+| 10: worker = Dilbert (p0 = Dilbert)                | parameter  | 5: worker = Dilbert (p1 = Dilbert) |
+| 10: worker = Wally (p0 = Wally)                    | parameter  | 5: worker = Wally (p1 = Wally) |
+| 12: SSA variable worker = Dilbert (p0 = Dilbert)   | use        | 13: worker = Dilbert (p0 = Dilbert) |
+| 12: worker = Dilbert (p0 = Dilbert)                | [dataflow] | 12: SSA variable worker = Dilbert (p0 = Dilbert) |
+| 17: ENGINEER = Dilbert                             | [dataflow] | 17: SSA variable worker = Dilbert |
+| 17: ENGINEER = Wally                               | [dataflow] | 17: SSA variable worker = Wally |
+| 17: SSA variable worker = Dilbert                  | [dataflow] | 18: SSA variable worker = Dilbert |
+| 17: SSA variable worker = Dilbert                  | use        | 18: worker = Dilbert |
+| 17: SSA variable worker = Wally                    | [dataflow] | 18: SSA variable worker = Wally |
+| 17: SSA variable worker = Wally                    | use        | 18: worker = Wally |
+| 22: ENGINEER = Dilbert                             | [dataflow] | 22: SSA variable worker = Dilbert |
+| 22: ENGINEER = Wally                               | [dataflow] | 22: SSA variable worker = Wally |
+| 22: SSA variable worker = Dilbert                  | use        | 23: worker = Dilbert |
+| 23: SSA variable worker = Dilbert                  | [dataflow] | 24: SSA variable worker = Dilbert |
+| 23: SSA variable worker = Dilbert                  | use        | 24: worker = Dilbert |
+| 23: lunch() = Dilbert                              | [dataflow] | 23: SSA variable worker = Dilbert |
+| 23: worker = Dilbert                               | call       | 23: lunch() = Dilbert |
+| 23: worker = Dilbert                               | parameter  | 12: worker = Dilbert (p0 = Dilbert) |
+| 28: ENGINEER = Dilbert                             | [dataflow] | 28: SSA variable worker = Dilbert |
+| 28: ENGINEER = Wally                               | [dataflow] | 28: SSA variable worker = Wally |
+| 28: SSA variable worker = Dilbert                  | [dataflow] | 29: SSA variable worker = Dilbert |
+| 28: SSA variable worker = Dilbert                  | use        | 29: worker = Dilbert |
+| 28: SSA variable worker = Wally                    | [dataflow] | 29: SSA variable worker = Wally |
+| 28: SSA variable worker = Wally                    | use        | 29: worker = Wally |
+| 33: ENGINEER = Dilbert                             | [dataflow] | 33: SSA variable worker = Dilbert |
+| 33: ENGINEER = Wally                               | [dataflow] | 33: SSA variable worker = Wally |
+| 33: SSA variable worker = Dilbert                  | use        | 34: worker = Dilbert |
+| 33: SSA variable worker = Wally                    | use        | 34: worker = Wally |
+| 34: SSA variable task.worker = Dilbert             | use        | 37: task.worker = Dilbert |
+| 34: SSA variable task.worker = Wally               | use        | 37: task.worker = Wally |
+| 34: assign_task().worker = Dilbert                 | [dataflow] | 34: SSA variable task.worker = Dilbert |
+| 34: assign_task().worker = Wally                   | [dataflow] | 34: SSA variable task.worker = Wally |
+| 34: worker = Dilbert                               | call       | 34: assign_task().worker = Dilbert |
+| 34: worker = Dilbert                               | parameter  | 8: worker = Dilbert (p0 = Dilbert) |
+| 34: worker = Wally                                 | call       | 34: assign_task().worker = Wally |
+| 34: worker = Wally                                 | parameter  | 8: worker = Wally (p0 = Wally) |
+| 37: Attribute = Dilbert                            | call       | 37: lunch() = Dilbert |
+| 37: Attribute = Dilbert                            | parameter  | 12: worker = Dilbert (p0 = Dilbert) |
+| 37: SSA variable worker = Dilbert                  | [dataflow] | 39: SSA variable worker = Dilbert |
+| 37: SSA variable worker = Dilbert                  | use        | 39: worker = Dilbert |
+| 37: lunch() = Dilbert                              | [dataflow] | 37: SSA variable worker = Dilbert |
+| 43: ENGINEER = Dilbert                             | [dataflow] | 43: SSA variable worker = Dilbert |
+| 43: ENGINEER = Wally                               | [dataflow] | 43: SSA variable worker = Wally |
+| 48: SSA variable worker = Dilbert (p0 = Dilbert)   | use        | 53: worker = Dilbert (p0 = Dilbert) |
+| 48: SSA variable worker = Wally (p0 = Wally)       | use        | 53: worker = Wally (p0 = Wally) |
+| 48: worker = Dilbert (p0 = Dilbert)                | [dataflow] | 48: SSA variable worker = Dilbert (p0 = Dilbert) |
+| 48: worker = Wally (p0 = Wally)                    | [dataflow] | 48: SSA variable worker = Wally (p0 = Wally) |
+| 57: ENGINEER = Dilbert                             | [dataflow] | 57: SSA variable worker = Dilbert |
+| 57: ENGINEER = Wally                               | [dataflow] | 57: SSA variable worker = Wally |
+| 57: SSA variable worker = Dilbert                  | use        | 58: worker = Dilbert |
+| 57: SSA variable worker = Wally                    | use        | 58: worker = Wally |
+| 58: SSA variable worker = Dilbert                  | [dataflow] | 60: SSA variable worker = Dilbert |
+| 58: SSA variable worker = Dilbert                  | use        | 60: worker = Dilbert |
+| 58: SSA variable worker = Wally                    | [dataflow] | 60: SSA variable worker = Wally |
+| 58: SSA variable worker = Wally                    | use        | 60: worker = Wally |
+| 58: cubical() = Dilbert                            | [dataflow] | 58: SSA variable worker = Dilbert |
+| 58: cubical() = Wally                              | [dataflow] | 58: SSA variable worker = Wally |
+| 58: worker = Dilbert                               | call       | 58: cubical() = Dilbert |
+| 58: worker = Dilbert                               | parameter  | 48: worker = Dilbert (p0 = Dilbert) |
+| 58: worker = Wally                                 | call       | 58: cubical() = Wally |
+| 58: worker = Wally                                 | parameter  | 48: worker = Wally (p0 = Wally) |
+| 64: ENGINEER = Dilbert                             | [dataflow] | 64: SSA variable worker = Dilbert |
+| 64: ENGINEER = Wally                               | [dataflow] | 64: SSA variable worker = Wally |
+| 64: SSA variable worker = Dilbert                  | use        | 65: worker = Dilbert |
+| 65: SSA variable worker = Dilbert                  | use        | 66: worker = Dilbert |
+| 65: lunch() = Dilbert                              | [dataflow] | 65: SSA variable worker = Dilbert |
+| 65: worker = Dilbert                               | call       | 65: lunch() = Dilbert |
+| 65: worker = Dilbert                               | parameter  | 12: worker = Dilbert (p0 = Dilbert) |
+| 66: SSA variable worker = Dilbert                  | [dataflow] | 68: SSA variable worker = Dilbert |
+| 66: SSA variable worker = Dilbert                  | use        | 68: worker = Dilbert |
+| 66: cubical() = Dilbert                            | [dataflow] | 66: SSA variable worker = Dilbert |
+| 66: worker = Dilbert                               | call       | 66: cubical() = Dilbert |
+| 66: worker = Dilbert                               | parameter  | 48: worker = Dilbert (p0 = Dilbert) |
--- a/python/ql/test/library-tests/taint/example/Edges.ql
+++ b/python/ql/test/library-tests/taint/example/Edges.ql
@@ -0,0 +1,34 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.dataflow.Implementation
+import DilbertConfig
+
+
+string shortString(TaintTrackingNode n) {
+    if n.getContext().isTop() then
+        result = n.getLocation().getStartLine() + ": " + n.getNode().toString() + n.getPath().extension() + " = " + n.getTaintKind()
+    else
+        result = n.getLocation().getStartLine() + ": " + n.getNode().toString() + n.getPath().extension() + " = " + n.getTaintKind() + " (" + n.getContext().toString() + ")"
+}
+
+bindingset[s, len]
+string ljust(string s, int len) {
+    result = s + 
+    "                                                                            ".prefix(len-s.length())
+}
+
+bindingset[s, len]
+string format(string s, int len) {
+    exists(string label |
+        s = "" and label = "[dataflow]"
+        or
+        s != "" and label = s
+        |
+        result = ljust(label, len)
+    )
+}
+
+from TaintTrackingNode p, TaintTrackingNode s, string label
+where any(DilbertConfig config).(TaintTrackingImplementation).flowStep(p, s, label)
+select format(shortString(p), 50), format(label, 10), shortString(s)
+
--- a/python/ql/test/library-tests/taint/example/ExampleConfig.expected
+++ b/python/ql/test/library-tests/taint/example/ExampleConfig.expected
@@ -0,0 +1,35 @@
+edges
+| example.py:17:14:17:21 | Dilbert | example.py:18:13:18:18 | Dilbert |
+| example.py:17:14:17:21 | Wally | example.py:18:13:18:18 | Wally |
+| example.py:22:14:22:21 | Dilbert | example.py:23:20:23:25 | Dilbert |
+| example.py:23:14:23:26 | Dilbert | example.py:24:13:24:18 | Dilbert |
+| example.py:23:20:23:25 | Dilbert | example.py:23:14:23:26 | Dilbert |
+| example.py:28:14:28:21 | Dilbert | example.py:29:13:29:18 | Dilbert |
+| example.py:28:14:28:21 | Wally | example.py:29:13:29:18 | Wally |
+| example.py:33:14:33:21 | Dilbert | example.py:34:24:34:29 | Dilbert |
+| example.py:34:12:34:30 | .worker = Dilbert | example.py:37:20:37:23 | .worker = Dilbert |
+| example.py:34:24:34:29 | Dilbert | example.py:34:12:34:30 | .worker = Dilbert |
+| example.py:37:14:37:31 | Dilbert | example.py:39:13:39:18 | Dilbert |
+| example.py:37:20:37:23 | .worker = Dilbert | example.py:37:20:37:30 | Dilbert |
+| example.py:37:20:37:30 | Dilbert | example.py:37:14:37:31 | Dilbert |
+| example.py:57:14:57:21 | Dilbert | example.py:58:22:58:27 | Dilbert |
+| example.py:57:14:57:21 | Wally | example.py:58:22:58:27 | Wally |
+| example.py:58:14:58:28 | Dilbert | example.py:60:13:60:18 | Dilbert |
+| example.py:58:14:58:28 | Wally | example.py:60:13:60:18 | Wally |
+| example.py:58:22:58:27 | Dilbert | example.py:58:14:58:28 | Dilbert |
+| example.py:58:22:58:27 | Wally | example.py:58:14:58:28 | Wally |
+| example.py:64:14:64:21 | Dilbert | example.py:65:20:65:25 | Dilbert |
+| example.py:65:14:65:26 | Dilbert | example.py:66:22:66:27 | Dilbert |
+| example.py:65:20:65:25 | Dilbert | example.py:65:14:65:26 | Dilbert |
+| example.py:66:14:66:28 | Dilbert | example.py:68:13:68:18 | Dilbert |
+| example.py:66:22:66:27 | Dilbert | example.py:66:14:66:28 | Dilbert |
+#select
+| example.py:18:13:18:18 | worker | example.py:17:14:17:21 | Dilbert | example.py:18:13:18:18 | Dilbert | $@ goes to a $@. | example.py:17:14:17:21 | ENGINEER | Dilbert | example.py:18:13:18:18 | worker | meeting |
+| example.py:18:13:18:18 | worker | example.py:17:14:17:21 | Wally | example.py:18:13:18:18 | Wally | $@ goes to a $@. | example.py:17:14:17:21 | ENGINEER | Wally | example.py:18:13:18:18 | worker | meeting |
+| example.py:24:13:24:18 | worker | example.py:22:14:22:21 | Dilbert | example.py:24:13:24:18 | Dilbert | $@ goes to a $@. | example.py:22:14:22:21 | ENGINEER | Dilbert | example.py:24:13:24:18 | worker | meeting |
+| example.py:29:13:29:18 | worker | example.py:28:14:28:21 | Dilbert | example.py:29:13:29:18 | Dilbert | $@ goes to a $@. | example.py:28:14:28:21 | ENGINEER | Dilbert | example.py:29:13:29:18 | worker | meeting |
+| example.py:29:13:29:18 | worker | example.py:28:14:28:21 | Wally | example.py:29:13:29:18 | Wally | $@ goes to a $@. | example.py:28:14:28:21 | ENGINEER | Wally | example.py:29:13:29:18 | worker | meeting |
+| example.py:39:13:39:18 | worker | example.py:33:14:33:21 | Dilbert | example.py:39:13:39:18 | Dilbert | $@ goes to a $@. | example.py:33:14:33:21 | ENGINEER | Dilbert | example.py:39:13:39:18 | worker | meeting |
+| example.py:60:13:60:18 | worker | example.py:57:14:57:21 | Dilbert | example.py:60:13:60:18 | Dilbert | $@ goes to a $@. | example.py:57:14:57:21 | ENGINEER | Dilbert | example.py:60:13:60:18 | worker | meeting |
+| example.py:60:13:60:18 | worker | example.py:57:14:57:21 | Wally | example.py:60:13:60:18 | Wally | $@ goes to a $@. | example.py:57:14:57:21 | ENGINEER | Wally | example.py:60:13:60:18 | worker | meeting |
+| example.py:68:13:68:18 | worker | example.py:64:14:64:21 | Dilbert | example.py:68:13:68:18 | Dilbert | $@ goes to a $@. | example.py:64:14:64:21 | ENGINEER | Dilbert | example.py:68:13:68:18 | worker | meeting |
--- a/python/ql/test/library-tests/taint/example/ExampleConfig.ql
+++ b/python/ql/test/library-tests/taint/example/ExampleConfig.ql
@@ -0,0 +1,15 @@
+/**
+ * @kind path-problem
+ * 
+ * An example configuration.
+ * See ExampleConfiguration.expected for the results of running this query.
+ */
+
+import python
+import DilbertConfig
+import semmle.python.security.Paths
+
+
+from DilbertConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ goes to a $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), "meeting"
--- a/python/ql/test/library-tests/taint/example/Nodes.expected
+++ b/python/ql/test/library-tests/taint/example/Nodes.expected
@@ -0,0 +1,99 @@
+| example.py:5 | SSA variable worker | no attribute | p1 = Dilbert | Dilbert |
+| example.py:5 | SSA variable worker | no attribute | p1 = Wally | Wally |
+| example.py:5 | worker | no attribute | p1 = Dilbert | Dilbert |
+| example.py:5 | worker | no attribute | p1 = Wally | Wally |
+| example.py:6 | SSA variable self | attribute worker | p1 = Dilbert | Dilbert |
+| example.py:6 | SSA variable self | attribute worker | p1 = Wally | Wally |
+| example.py:6 | worker | no attribute | p1 = Dilbert | Dilbert |
+| example.py:6 | worker | no attribute | p1 = Wally | Wally |
+| example.py:8 | SSA variable worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:8 | SSA variable worker | no attribute | p0 = Wally | Wally |
+| example.py:8 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:8 | worker | no attribute | p0 = Wally | Wally |
+| example.py:10 | SSA variable worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:10 | SSA variable worker | no attribute | p0 = Wally | Wally |
+| example.py:10 | Task() | attribute worker | p0 = Dilbert | Dilbert |
+| example.py:10 | Task() | attribute worker | p0 = Wally | Wally |
+| example.py:10 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:10 | worker | no attribute | p0 = Wally | Wally |
+| example.py:12 | SSA variable worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:12 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:13 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:17 | ENGINEER | no attribute |  | Dilbert |
+| example.py:17 | ENGINEER | no attribute |  | Wally |
+| example.py:17 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:17 | SSA variable worker | no attribute |  | Wally |
+| example.py:18 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:18 | SSA variable worker | no attribute |  | Wally |
+| example.py:18 | worker | no attribute |  | Dilbert |
+| example.py:18 | worker | no attribute |  | Wally |
+| example.py:22 | ENGINEER | no attribute |  | Dilbert |
+| example.py:22 | ENGINEER | no attribute |  | Wally |
+| example.py:22 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:22 | SSA variable worker | no attribute |  | Wally |
+| example.py:23 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:23 | lunch() | no attribute |  | Dilbert |
+| example.py:23 | worker | no attribute |  | Dilbert |
+| example.py:24 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:24 | worker | no attribute |  | Dilbert |
+| example.py:28 | ENGINEER | no attribute |  | Dilbert |
+| example.py:28 | ENGINEER | no attribute |  | Wally |
+| example.py:28 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:28 | SSA variable worker | no attribute |  | Wally |
+| example.py:29 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:29 | SSA variable worker | no attribute |  | Wally |
+| example.py:29 | worker | no attribute |  | Dilbert |
+| example.py:29 | worker | no attribute |  | Wally |
+| example.py:33 | ENGINEER | no attribute |  | Dilbert |
+| example.py:33 | ENGINEER | no attribute |  | Wally |
+| example.py:33 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:33 | SSA variable worker | no attribute |  | Wally |
+| example.py:34 | SSA variable task | attribute worker |  | Dilbert |
+| example.py:34 | SSA variable task | attribute worker |  | Wally |
+| example.py:34 | assign_task() | attribute worker |  | Dilbert |
+| example.py:34 | assign_task() | attribute worker |  | Wally |
+| example.py:34 | worker | no attribute |  | Dilbert |
+| example.py:34 | worker | no attribute |  | Wally |
+| example.py:37 | Attribute | no attribute |  | Dilbert |
+| example.py:37 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:37 | lunch() | no attribute |  | Dilbert |
+| example.py:37 | task | attribute worker |  | Dilbert |
+| example.py:37 | task | attribute worker |  | Wally |
+| example.py:39 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:39 | worker | no attribute |  | Dilbert |
+| example.py:43 | ENGINEER | no attribute |  | Dilbert |
+| example.py:43 | ENGINEER | no attribute |  | Wally |
+| example.py:43 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:43 | SSA variable worker | no attribute |  | Wally |
+| example.py:48 | SSA variable worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:48 | SSA variable worker | no attribute | p0 = Wally | Wally |
+| example.py:48 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:48 | worker | no attribute | p0 = Wally | Wally |
+| example.py:53 | worker | no attribute | p0 = Dilbert | Dilbert |
+| example.py:53 | worker | no attribute | p0 = Wally | Wally |
+| example.py:57 | ENGINEER | no attribute |  | Dilbert |
+| example.py:57 | ENGINEER | no attribute |  | Wally |
+| example.py:57 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:57 | SSA variable worker | no attribute |  | Wally |
+| example.py:58 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:58 | SSA variable worker | no attribute |  | Wally |
+| example.py:58 | cubical() | no attribute |  | Dilbert |
+| example.py:58 | cubical() | no attribute |  | Wally |
+| example.py:58 | worker | no attribute |  | Dilbert |
+| example.py:58 | worker | no attribute |  | Wally |
+| example.py:60 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:60 | SSA variable worker | no attribute |  | Wally |
+| example.py:60 | worker | no attribute |  | Dilbert |
+| example.py:60 | worker | no attribute |  | Wally |
+| example.py:64 | ENGINEER | no attribute |  | Dilbert |
+| example.py:64 | ENGINEER | no attribute |  | Wally |
+| example.py:64 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:64 | SSA variable worker | no attribute |  | Wally |
+| example.py:65 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:65 | lunch() | no attribute |  | Dilbert |
+| example.py:65 | worker | no attribute |  | Dilbert |
+| example.py:66 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:66 | cubical() | no attribute |  | Dilbert |
+| example.py:66 | worker | no attribute |  | Dilbert |
+| example.py:68 | SSA variable worker | no attribute |  | Dilbert |
+| example.py:68 | worker | no attribute |  | Dilbert |
--- a/python/ql/test/library-tests/taint/example/Nodes.ql
+++ b/python/ql/test/library-tests/taint/example/Nodes.ql
@@ -0,0 +1,10 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.dataflow.Implementation
+import DilbertConfig
+
+
+from TaintTrackingNode n
+where n.getConfiguration() instanceof DilbertConfig
+select n.getLocation().toString(), n.getNode().toString(), n.getPath().toString(), n.getContext().toString(), n.getTaintKind()
+
--- a/python/ql/test/library-tests/taint/example/example.py
+++ b/python/ql/test/library-tests/taint/example/example.py
@@ -0,0 +1,69 @@
+
+# A class to demonstrate tracking of tainted attributes.
+class Task(object):
+
+    def __init__(self, worker):
+        self.worker = worker
+
+def assign_task(worker):
+    # The Task object will have its .worker attribute with whatever taint `worker`
+    return Task(worker)
+
+def lunch(worker):
+    return worker
+
+# The engineers go to a meeting
+def example1():
+    worker = ENGINEER
+    meeting(worker)
+
+# The engineers go to a meeting, but might need to skip lunch
+def example2():
+    worker = ENGINEER
+    worker = lunch(worker)
+    meeting(worker)
+
+# Everyone goes to a meeting (but that's OK for the managers)
+def example3():
+    worker = ENGINEER
+    meeting(worker)
+
+#Tracking taint of an attribute.
+def example4():
+    worker = ENGINEER
+    task = assign_task(worker)
+    #Here 'task' has its .worker attribute "tainted"
+    #Task team lunch
+    worker = lunch(task.worker)
+    #And meeting
+    meeting(worker)
+
+#A fire -- A barrier to all kinds of taint.
+def example5():
+    worker = ENGINEER
+    worker = fire(worker)
+    meeting(worker)
+
+#Some context sensitive flow
+def cubical(worker):
+    ''' The flow here is context sensitive.
+        In example6 the worker can be any engineer,
+        but in example7 is cannot be Wally.
+    '''
+    return worker
+
+# Workers go back to their cubicals
+def example6():
+    worker = ENGINEER
+    worker = cubical(worker)
+    #And meeting
+    meeting(worker)
+
+# Workers have lunch, then go back to their cubicals
+def example7():
+    worker = ENGINEER
+    worker = lunch(worker)
+    worker = cubical(worker)
+    #And meeting
+    meeting(worker)
+
--- a/python/ql/test/library-tests/taint/exception_traceback/TestNode.expected
+++ b/python/ql/test/library-tests/taint/exception_traceback/TestNode.expected
@@ -1,3 +1,4 @@
+WARNING: Predicate getNode has been deprecated and may be removed in future (TestNode.ql:8,43-50)
 | test.py:10:11:10:47 | test.py:10 | MyException() | exception.kind |
 | test.py:15:25:15:25 | test.py:15 | e | exception.kind |
 | test.py:16:13:16:34 | test.py:16 | Attribute() | exception.info |
--- a/python/ql/test/library-tests/taint/exception_traceback/TestStep.ql
+++ b/python/ql/test/library-tests/taint/exception_traceback/TestStep.ql
@@ -4,11 +4,11 @@ import semmle.python.security.Exceptions
 import semmle.python.web.HttpResponse

 from TaintedNode n, TaintedNode s
-where 
+where
    s = n.getASuccessor() and
    not n.getLocation().getFile().inStdlib() and
    not s.getLocation().getFile().inStdlib()
 select 
-    n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(),
+    "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().toString(), n.getContext(),
    " --> ",
-    s.getTrackedValue(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()
+    "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getNode().toString(), s.getContext()
--- a/python/ql/test/library-tests/taint/extensions/TestNode.expected
+++ b/python/ql/test/library-tests/taint/extensions/TestNode.expected
@@ -1,8 +1,9 @@
-| Taint simple.test | visitor.py:10 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:13 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:18 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:19 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:21 | arg | visitor.py:26 |
+WARNING: Predicate getNode has been deprecated and may be removed in future (TestNode.ql:7,77-84)
+| Taint simple.test | visitor.py:10 | arg | p2 = simple.test |
+| Taint simple.test | visitor.py:13 | arg | p2 = simple.test |
+| Taint simple.test | visitor.py:18 | arg |  |
+| Taint simple.test | visitor.py:19 | arg |  |
+| Taint simple.test | visitor.py:21 | arg |  |
 | Taint simple.test | visitor.py:26 | Attribute() |  |
 | Taint simple.test | visitor.py:26 | SOURCE |  |
 | Taint simple.test | visitor.py:27 | x |  |
--- a/python/ql/test/library-tests/taint/extensions/TestNode.ql
+++ b/python/ql/test/library-tests/taint/extensions/TestNode.ql
@@ -4,5 +4,5 @@ import ExtensionsLib


 from TaintedNode n
-select n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()

--- a/python/ql/test/library-tests/taint/extensions/TestStep.expected
+++ b/python/ql/test/library-tests/taint/extensions/TestStep.expected
@@ -1,7 +1,9 @@
-| Taint simple.test | visitor.py:10 | arg | visitor.py:26 |  -->  | Taint simple.test | visitor.py:13 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:18 | arg | visitor.py:26 |  -->  | Taint simple.test | visitor.py:19 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:19 | arg | visitor.py:26 |  -->  | Taint simple.test | visitor.py:26 | Attribute() |  |
+WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:9,74-81)
+WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:11,74-81)
+| Taint simple.test | visitor.py:10 | arg | p2 = simple.test |  -->  | Taint simple.test | visitor.py:13 | arg | p2 = simple.test |
+| Taint simple.test | visitor.py:18 | arg |  |  -->  | Taint simple.test | visitor.py:19 | arg |  |
+| Taint simple.test | visitor.py:19 | arg |  |  -->  | Taint simple.test | visitor.py:26 | Attribute() |  |
 | Taint simple.test | visitor.py:26 | Attribute() |  |  -->  | Taint simple.test | visitor.py:27 | x |  |
-| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:10 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:18 | arg | visitor.py:26 |
-| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:21 | arg | visitor.py:26 |
+| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:10 | arg | p2 = simple.test |
+| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:18 | arg |  |
+| Taint simple.test | visitor.py:26 | SOURCE |  |  -->  | Taint simple.test | visitor.py:21 | arg |  |
--- a/python/ql/test/library-tests/taint/extensions/TestStep.ql
+++ b/python/ql/test/library-tests/taint/extensions/TestStep.ql
@@ -6,6 +6,6 @@ import ExtensionsLib
 from TaintedNode n, TaintedNode s
 where s = n.getASuccessor()
 select 
-    n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(),
+    "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(),
    " --> ",
-    s.getTrackedValue(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()
+    "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()
--- a/python/ql/test/library-tests/taint/general/Contexts.expected
+++ b/python/ql/test/library-tests/taint/general/Contexts.expected
@@ -1,31 +1,30 @@
-| carrier.py:17 | Function __init__ |
-| carrier.py:25 | Function __init__ |
-| carrier.py:25 | Function hub |
-| carrier.py:29 | Function hub |
-| carrier.py:33 | Function __init__ |
-| deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 | Function f1 |
-| deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 | Function f2 |
-| deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 | Function f3 |
-| deep.py:15 from deep.py:18 from deep.py:20 | Function f4 |
-| deep.py:18 from deep.py:20 | Function f5 |
-| deep.py:20 | Function f6 |
-| rockpaperscissors.py:13 | Function rock |
-| rockpaperscissors.py:16 | Function paper |
-| rockpaperscissors.py:21 | Function scissors |
-| rockpaperscissors.py:26 | Function scissors |
-| rockpaperscissors.py:31 | Function paper |
-| rockpaperscissors.py:32 | Function paper |
-| sanitizer.py:10 | Function isEscapedSql |
-| sanitizer.py:17 | Function isValidCommand |
-| test.py:21 | Function sink |
-| test.py:25 | Function sink |
-| test.py:47 from test.py:55 | Function sink |
-| test.py:51 from test.py:63 | Function sink |
-| test.py:51 from test.py:70 | Function sink |
-| test.py:55 | Function sink2 |
-| test.py:63 | Function sink3 |
-| test.py:70 | Function sink3 |
-| test.py:77 | Function hub |
-| test.py:116 | Function hub |
-| test.py:117 | Function x_sink |
-| test.py:121 | Function hub |
+WARNING: Type CallContext has been deprecated and may be removed in future (Contexts.ql:6,6-17)
+WARNING: Type CallContext has been deprecated and may be removed in future (Contexts.ql:7,14-25)
+| carrier.py:4 | p1 = explicit.carrier | Function __init__ |
+| carrier.py:4 | p1 = simple.test | Function __init__ |
+| carrier.py:10 | p0.attr = simple.test | Function get_attr |
+| carrier.py:13 | p0 = explicit.carrier | Function hub |
+| carrier.py:13 | p0.attr = simple.test | Function hub |
+| deep.py:2 | p0 = simple.test | Function f1 |
+| deep.py:5 | p0 = simple.test | Function f2 |
+| deep.py:8 | p0 = simple.test | Function f3 |
+| deep.py:11 | p0 = simple.test | Function f4 |
+| deep.py:14 | p0 = simple.test | Function f5 |
+| deep.py:17 | p0 = simple.test | Function f6 |
+| rockpaperscissors.py:3 | p0 = scissors | Function rock |
+| rockpaperscissors.py:6 | p0 = paper | Function paper |
+| rockpaperscissors.py:6 | p0 = rock | Function paper |
+| rockpaperscissors.py:6 | p0 = scissors | Function paper |
+| rockpaperscissors.py:9 | p0 = paper | Function scissors |
+| rockpaperscissors.py:9 | p0 = scissors | Function scissors |
+| sanitizer.py:3 | p0 = Command injection | Function isEscapedSql |
+| sanitizer.py:3 | p0 = SQL injection | Function isEscapedSql |
+| sanitizer.py:5 | p0 = Command injection | Function isValidCommand |
+| sanitizer.py:5 | p0 = SQL injection | Function isValidCommand |
+| test.py:12 | p0 = simple.test | Function sink |
+| test.py:46 | p0 = simple.test | Function sink2 |
+| test.py:49 | p1 = simple.test | Function sink3 |
+| test.py:72 | p0 = basic.custom | Function hub |
+| test.py:72 | p0 = simple.test | Function hub |
+| test.py:72 | p0.x = simple.test | Function hub |
+| test.py:105 | p0.x = simple.test | Function x_sink |
--- a/python/ql/test/library-tests/taint/general/Contexts.ql
+++ b/python/ql/test/library-tests/taint/general/Contexts.ql
@@ -1,9 +1,10 @@

 import python
-import semmle.python.security.TaintTest
+import semmle.python.dataflow.Implementation
 import TaintLib

 from CallContext context, Scope s
-where exists(CallContext caller | caller.getCallee(_) = context) and context.appliesToScope(s)
-select context, s.toString()
+where exists(CallContext caller | caller.getCallee(_) = context) and
+context.appliesToScope(s)
+select s.getLocation().toString(), context, s.toString()

--- a/python/ql/test/library-tests/taint/general/ModuleAttribute.expected
+++ b/python/ql/test/library-tests/taint/general/ModuleAttribute.expected
@@ -1,4 +1,4 @@
-| Module deep | x | Taint simple.test |  | deep.py:20 |
-| Module module | dangerous | Taint simple.test |  | module.py:3 |
-| Module test | module | Attribute 'dangerous' taint simple.test |  | test.py:85 |
-| Module test | unsafe | Taint simple.test |  | test.py:155 |
+| Module deep | x | simple.test |  | deep.py:20 |
+| Module module | dangerous | simple.test |  | module.py:3 |
+| Module test | module | .dangerous = simple.test |  | test.py:85 |
+| Module test | unsafe | simple.test |  | test.py:156 |
--- a/python/ql/test/library-tests/taint/general/ModuleAttribute.ql
+++ b/python/ql/test/library-tests/taint/general/ModuleAttribute.ql
@@ -1,10 +1,9 @@
 import python
-import semmle.python.security.TaintTest
+import semmle.python.dataflow.Implementation
 import TaintLib


-from ModuleValue m, string name, TaintedNode origin
+from ModuleValue m, string name, TaintedNode origin, TaintTrackingImplementation impl
+where impl.moduleAttributeTainted(m, name, origin)

-where TaintFlowTest::module_attribute_tainted(m, name, origin)
-
-select m.toString(), name, origin.getTrackedValue(), origin.getContext(), origin.getLocation().toString()
+select m.toString(), name, origin.toString(), origin.getContext(), origin.getLocation().toString()
--- a/python/ql/test/library-tests/taint/general/ParamSource.expected
+++ b/python/ql/test/library-tests/taint/general/ParamSource.expected
@@ -1,4 +1,3 @@
-| test | carrier.py:4 | 18 | Attribute | test |
 | test | test.py:12 | 13 | arg | test |
 | test | test.py:46 | 13 | arg | test |
 | test | test.py:49 | 13 | arg | test |
--- a/python/ql/test/library-tests/taint/general/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/general/TaintLib.qll
@@ -50,6 +50,13 @@ class SimpleSanitizer extends Sanitizer {
        taint instanceof SimpleTest
    }

+    override predicate sanitizingDefinition(TaintKind taint, EssaDefinition def) {
+        exists(CallNode call |
+            def.(ArgumentRefinement).getInput().getAUse() = call.getAnArg() and
+            call.getFunction().(NameNode).getId() = "SANITIZE"
+        ) and
+        taint instanceof SimpleTest
+    }
 }

 class BasicCustomTaint extends TaintKind {
@@ -385,6 +392,3 @@ class TaintIterableSource extends TaintSource {
    }

 }
-
-
-
--- a/python/ql/test/library-tests/taint/general/TaintSanity.ql
+++ b/python/ql/test/library-tests/taint/general/TaintSanity.ql
@@ -1,26 +1,26 @@
 import python
-import semmle.python.security.TaintTest
+import semmle.python.dataflow.TaintTracking
+import semmle.python.dataflow.Implementation
 import TaintLib

-from TaintFlowTest::TrackedValue taint, CallContext c, ControlFlowNode n, string what
+from TaintKind taint, TaintTrackingContext c, DataFlow::Node n, string what, TaintTrackingImplementation impl
 where
-not exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c) and
+not exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c) and
 (
-    TaintFlowTest::step(_, taint, c, n) and what = "missing node at end of step"
+    impl.flowStep(_, n, c, _, taint, _) and what = "missing node at end of step"
    or
-    n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "missing node for source"
-
+    impl.flowSource(n, c, _, taint) and what = "missing node for source"
 )
 or
-exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c
+exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c
    |
-    not TaintFlowTest::step(_, taint, c, n) and 
-    not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "TaintedNode with no reason"
+    not impl.flowStep(_, n, c, _, taint, _) and 
+    not impl.flowSource(n, c, _, taint) and what = "TaintedNode with no reason"
    or
-    TaintFlowTest::step(t, taint, c, n) and what = "step ends where it starts"
+    impl.flowStep(t, n, c, _, taint, _) and what = "step ends where it starts"
    or
-    TaintFlowTest::step(t,  _, _, _) and not TaintFlowTest::step(_, taint, c, n) and
-    not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "No predecessor and not a source"
+    impl.flowStep(t, _, _, _, _, _) and not impl.flowStep(_, n, c, _, taint, _) and
+    not impl.flowSource(n, c, _, taint) and what = "No predecessor and not a source"
 )

 select n.getLocation(), taint, c, n.toString(), what
--- a/python/ql/test/library-tests/taint/general/TestDefn.expected
+++ b/python/ql/test/library-tests/taint/general/TestDefn.expected
@@ -1,191 +1,95 @@
 | carrier.py:4 | ParameterDefinition | carrier.py:4 | Taint explicit.carrier | arg |
 | carrier.py:4 | ParameterDefinition | carrier.py:4 | Taint simple.test | arg |
-| carrier.py:5 | AttributeAssignment 'attr'(self_0) | carrier.py:5 | Attribute 'attr' taint explicit.carrier | self |
-| carrier.py:5 | AttributeAssignment 'attr'(self_0) | carrier.py:5 | Attribute 'attr' taint simple.test | self |
-| carrier.py:13 | ParameterDefinition | carrier.py:13 | Attribute 'attr' taint simple.test | arg |
+| carrier.py:10 | ParameterDefinition | carrier.py:10 | Taint .attr = simple.test | self |
+| carrier.py:13 | ParameterDefinition | carrier.py:13 | Taint .attr = simple.test | arg |
 | carrier.py:13 | ParameterDefinition | carrier.py:13 | Taint explicit.carrier | arg |
-| carrier.py:17 | ImplicitCarrier() | carrier.py:17 | Attribute 'attr' taint simple.test | ImplicitCarrier() |
-| carrier.py:21 | TAINT_CARRIER_SOURCE | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
-| carrier.py:22 | MethodCallsiteRefinement(c_0) | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
-| carrier.py:25 | hub() | carrier.py:25 | Attribute 'attr' taint simple.test | hub() |
-| carrier.py:29 | hub() | carrier.py:29 | Taint explicit.carrier | hub() |
-| carrier.py:30 | MethodCallsiteRefinement(c_0) | carrier.py:29 | Taint explicit.carrier | hub() |
-| carrier.py:33 | ImplicitCarrier() | carrier.py:33 | Attribute 'attr' taint explicit.carrier | ImplicitCarrier() |
-| carrier.py:34 | Attribute | carrier.py:34 | Taint explicit.carrier | Attribute |
-| carrier.py:35 | MethodCallsiteRefinement(x_0) | carrier.py:34 | Taint explicit.carrier | Attribute |
+| carrier.py:17 | ImplicitCarrier() | carrier.py:17 | Taint .attr = simple.test | c |
+| carrier.py:21 | TAINT_CARRIER_SOURCE | carrier.py:21 | Taint explicit.carrier | c |
+| carrier.py:25 | hub() | carrier.py:25 | Taint .attr = simple.test | c |
+| carrier.py:29 | hub() | carrier.py:29 | Taint explicit.carrier | c |
+| carrier.py:33 | ImplicitCarrier() | carrier.py:33 | Taint .attr = explicit.carrier | c |
+| carrier.py:34 | Attribute | carrier.py:34 | Taint explicit.carrier | x |
 | deep.py:2 | ParameterDefinition | deep.py:2 | Taint simple.test | arg |
 | deep.py:5 | ParameterDefinition | deep.py:5 | Taint simple.test | arg |
-| deep.py:6 | ArgumentRefinement(arg_0) | deep.py:5 | Taint simple.test | arg |
 | deep.py:8 | ParameterDefinition | deep.py:8 | Taint simple.test | arg |
-| deep.py:9 | ArgumentRefinement(arg_0) | deep.py:8 | Taint simple.test | arg |
 | deep.py:11 | ParameterDefinition | deep.py:11 | Taint simple.test | arg |
-| deep.py:12 | ArgumentRefinement(arg_0) | deep.py:11 | Taint simple.test | arg |
 | deep.py:14 | ParameterDefinition | deep.py:14 | Taint simple.test | arg |
-| deep.py:15 | ArgumentRefinement(arg_0) | deep.py:14 | Taint simple.test | arg |
 | deep.py:17 | ParameterDefinition | deep.py:17 | Taint simple.test | arg |
-| deep.py:18 | ArgumentRefinement(arg_0) | deep.py:17 | Taint simple.test | arg |
-| deep.py:20 | f6() | deep.py:20 | Taint simple.test | f6() |
-| module.py:3 | SOURCE | module.py:3 | Taint simple.test | SOURCE |
+| deep.py:20 | f6() | deep.py:20 | Taint simple.test | x |
+| module.py:3 | SOURCE | module.py:3 | Taint simple.test | dangerous |
 | rockpaperscissors.py:3 | ParameterDefinition | rockpaperscissors.py:3 | Taint scissors | arg |
 | rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint paper | arg |
 | rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint rock | arg |
 | rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint scissors | arg |
 | rockpaperscissors.py:9 | ParameterDefinition | rockpaperscissors.py:9 | Taint paper | arg |
 | rockpaperscissors.py:9 | ParameterDefinition | rockpaperscissors.py:9 | Taint scissors | arg |
-| rockpaperscissors.py:19 | ROCK | rockpaperscissors.py:19 | Taint rock | ROCK |
-| rockpaperscissors.py:20 | Attribute() | rockpaperscissors.py:20 | Taint scissors | Attribute() |
-| rockpaperscissors.py:20 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:19 | Taint rock | ROCK |
-| rockpaperscissors.py:21 | ArgumentRefinement(y_0) | rockpaperscissors.py:20 | Taint scissors | Attribute() |
-| rockpaperscissors.py:24 | ROCK | rockpaperscissors.py:24 | Taint rock | ROCK |
-| rockpaperscissors.py:25 | Attribute() | rockpaperscissors.py:25 | Taint paper | Attribute() |
-| rockpaperscissors.py:25 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:24 | Taint rock | ROCK |
-| rockpaperscissors.py:26 | ArgumentRefinement(y_0) | rockpaperscissors.py:25 | Taint paper | Attribute() |
-| rockpaperscissors.py:29 | SCISSORS | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:30 | Attribute() | rockpaperscissors.py:30 | Taint paper | Attribute() |
-| rockpaperscissors.py:30 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:31 | ArgumentRefinement(x_1) | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:32 | ArgumentRefinement(y_0) | rockpaperscissors.py:30 | Taint paper | Attribute() |
+| rockpaperscissors.py:19 | ROCK | rockpaperscissors.py:19 | Taint rock | x |
+| rockpaperscissors.py:20 | Attribute() | rockpaperscissors.py:20 | Taint scissors | y |
+| rockpaperscissors.py:24 | ROCK | rockpaperscissors.py:24 | Taint rock | x |
+| rockpaperscissors.py:25 | Attribute() | rockpaperscissors.py:25 | Taint paper | y |
+| rockpaperscissors.py:29 | SCISSORS | rockpaperscissors.py:29 | Taint scissors | x |
+| rockpaperscissors.py:30 | Attribute() | rockpaperscissors.py:30 | Taint paper | y |
 | sanitizer.py:3 | ParameterDefinition | sanitizer.py:3 | Taint Command injection | arg |
 | sanitizer.py:3 | ParameterDefinition | sanitizer.py:3 | Taint SQL injection | arg |
 | sanitizer.py:5 | ParameterDefinition | sanitizer.py:5 | Taint Command injection | arg |
 | sanitizer.py:5 | ParameterDefinition | sanitizer.py:5 | Taint SQL injection | arg |
-| sanitizer.py:8 | phi(x_2, x_4) | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:8 | phi(x_2, x_4) | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:11 | ArgumentRefinement(x_1) | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:11 | Pi(x_0) [true] | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | ArgumentRefinement(x_3) | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | ArgumentRefinement(x_3) | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:13 | Pi(x_0) [false] | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | Pi(x_0) [false] | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:15 | phi(x_2, x_4) | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:15 | phi(x_2, x_4) | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:18 | ArgumentRefinement(x_1) | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:18 | Pi(x_0) [true] | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:20 | ArgumentRefinement(x_3) | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:20 | ArgumentRefinement(x_3) | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:20 | Pi(x_0) [false] | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:20 | Pi(x_0) [false] | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:23 | phi(x_2, x_4) | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:23 | phi(x_2, x_4) | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:26 | ArgumentRefinement(x_1) | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:26 | ArgumentRefinement(x_1) | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:26 | Pi(x_0) [true] | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:26 | Pi(x_0) [true] | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:28 | ArgumentRefinement(x_3) | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:28 | ArgumentRefinement(x_3) | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:28 | Pi(x_0) [false] | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:28 | Pi(x_0) [false] | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:30 | phi(x_2, x_4) | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:30 | phi(x_2, x_4) | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:33 | ArgumentRefinement(x_1) | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:33 | ArgumentRefinement(x_1) | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:33 | Pi(x_0) [true] | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:33 | Pi(x_0) [true] | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:35 | ArgumentRefinement(x_3) | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:35 | ArgumentRefinement(x_3) | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:35 | Pi(x_0) [false] | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:35 | Pi(x_0) [false] | sanitizer.py:31 | Taint SQL injection | user_input() |
-| test.py:6 | SOURCE | test.py:6 | Taint simple.test | SOURCE |
-| test.py:7 | ArgumentRefinement(s_0) | test.py:6 | Taint simple.test | SOURCE |
+| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint Command injection | x |
+| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint SQL injection | x |
+| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint Command injection | x |
+| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint SQL injection | x |
+| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint Command injection | x |
+| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint SQL injection | x |
+| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint Command injection | x |
+| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint SQL injection | x |
+| test.py:6 | SOURCE | test.py:6 | Taint simple.test | s |
 | test.py:12 | ParameterDefinition | test.py:12 | Taint simple.test | arg |
-| test.py:13 | ArgumentRefinement(arg_0) | test.py:12 | Taint simple.test | arg |
-| test.py:16 | source() | test.py:16 | Taint simple.test | source() |
-| test.py:17 | ArgumentRefinement(t_0) | test.py:16 | Taint simple.test | source() |
-| test.py:20 | SOURCE | test.py:20 | Taint simple.test | SOURCE |
-| test.py:21 | ArgumentRefinement(t_0) | test.py:20 | Taint simple.test | SOURCE |
-| test.py:24 | source() | test.py:24 | Taint simple.test | source() |
-| test.py:25 | ArgumentRefinement(t_0) | test.py:24 | Taint simple.test | source() |
-| test.py:31 | SOURCE | test.py:31 | Taint simple.test | SOURCE |
-| test.py:37 | SOURCE | test.py:37 | Taint simple.test | SOURCE |
-| test.py:41 | ArgumentRefinement(t_0) | test.py:37 | Taint simple.test | SOURCE |
+| test.py:16 | source() | test.py:16 | Taint simple.test | t |
+| test.py:20 | SOURCE | test.py:20 | Taint simple.test | t |
+| test.py:24 | source() | test.py:24 | Taint simple.test | t |
+| test.py:31 | SOURCE | test.py:31 | Taint simple.test | t |
+| test.py:37 | SOURCE | test.py:37 | Taint simple.test | t |
 | test.py:46 | ParameterDefinition | test.py:46 | Taint simple.test | arg |
-| test.py:47 | ArgumentRefinement(arg_0) | test.py:46 | Taint simple.test | arg |
 | test.py:49 | ParameterDefinition | test.py:49 | Taint simple.test | arg |
-| test.py:49 | phi(arg_0, arg_1) | test.py:49 | Taint simple.test | arg |
-| test.py:51 | ArgumentRefinement(arg_0) | test.py:49 | Taint simple.test | arg |
-| test.py:54 | source2() | test.py:54 | Taint simple.test | source2() |
-| test.py:55 | ArgumentRefinement(t_0) | test.py:54 | Taint simple.test | source2() |
-| test.py:62 | SOURCE | test.py:62 | Taint simple.test | SOURCE |
-| test.py:63 | phi(t_0, t_1) | test.py:62 | Taint simple.test | SOURCE |
-| test.py:67 | SOURCE | test.py:67 | Taint simple.test | SOURCE |
-| test.py:70 | phi(t_0, t_1) | test.py:67 | Taint simple.test | SOURCE |
-| test.py:72 | ParameterDefinition | test.py:72 | Attribute 'x' taint simple.test | arg |
+| test.py:54 | source2() | test.py:54 | Taint simple.test | t |
+| test.py:62 | SOURCE | test.py:62 | Taint simple.test | t |
+| test.py:67 | SOURCE | test.py:67 | Taint simple.test | t |
+| test.py:72 | ParameterDefinition | test.py:72 | Taint .x = simple.test | arg |
 | test.py:72 | ParameterDefinition | test.py:72 | Taint basic.custom | arg |
 | test.py:72 | ParameterDefinition | test.py:72 | Taint simple.test | arg |
-| test.py:76 | SOURCE | test.py:76 | Taint simple.test | SOURCE |
-| test.py:77 | hub() | test.py:77 | Taint simple.test | hub() |
-| test.py:78 | ArgumentRefinement(t_1) | test.py:77 | Taint simple.test | hub() |
-| test.py:85 | ImportExpr | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:87 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:88 | Attribute | test.py:88 | Taint simple.test | Attribute |
-| test.py:89 | ArgumentRefinement(t_0) | test.py:88 | Taint simple.test | Attribute |
-| test.py:91 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:95 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:99 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:100 | Attribute() | test.py:100 | Taint simple.test | Attribute() |
-| test.py:101 | ArgumentRefinement(t_0) | test.py:100 | Taint simple.test | Attribute() |
-| test.py:105 | ParameterDefinition | test.py:105 | Attribute 'x' taint simple.test | arg |
-| test.py:108 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:110 | AttributeAssignment 'x'(t_0) | test.py:110 | Attribute 'x' taint simple.test | t |
-| test.py:113 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:115 | AttributeAssignment 'x'(t_0) | test.py:115 | Attribute 'x' taint simple.test | t |
-| test.py:116 | hub() | test.py:116 | Attribute 'x' taint simple.test | hub() |
-| test.py:117 | ArgumentRefinement(t_2) | test.py:116 | Attribute 'x' taint simple.test | hub() |
-| test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:121 | hub() | test.py:121 | Taint basic.custom | hub() |
-| test.py:122 | ArgumentRefinement(t_1) | test.py:121 | Taint basic.custom | hub() |
-| test.py:126 | CUSTOM_SOURCE | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:128 | SOURCE | test.py:128 | Taint simple.test | SOURCE |
-| test.py:130 | ArgumentRefinement(t_0) | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:132 | ArgumentRefinement(t_2) | test.py:128 | Taint simple.test | SOURCE |
-| test.py:136 | CUSTOM_SOURCE | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:138 | SOURCE | test.py:138 | Taint simple.test | SOURCE |
-| test.py:140 | ArgumentRefinement(t_2) | test.py:138 | Taint simple.test | SOURCE |
-| test.py:142 | ArgumentRefinement(t_0) | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:146 | CUSTOM_SOURCE | test.py:146 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:148 | SOURCE | test.py:148 | Taint simple.test | SOURCE |
-| test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
-| test.py:151 | ArgumentRefinement(t_1) | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
-| test.py:155 | ImportMember | test.py:155 | Taint simple.test | ImportMember |
-| test.py:156 | ArgumentRefinement(unsafe_0) | test.py:155 | Taint simple.test | ImportMember |
-| test.py:159 | with | test.py:159 | Taint simple.test | SOURCE |
-| test.py:160 | ArgumentRefinement(t_0) | test.py:159 | Taint simple.test | SOURCE |
-| test.py:163 | SOURCE | test.py:163 | Taint simple.test | SOURCE |
-| test.py:168 | List | test.py:168 | Taint [simple.test] | List |
-| test.py:169 | Dict | test.py:169 | Taint {simple.test} | Dict |
-| test.py:170 | ArgumentRefinement(l_0) | test.py:168 | Taint [simple.test] | List |
-| test.py:171 | ArgumentRefinement(d_0) | test.py:169 | Taint {simple.test} | Dict |
-| test.py:174 | ArgumentRefinement(l_1) | test.py:168 | Taint [simple.test] | List |
-| test.py:174 | list() | test.py:174 | Taint [simple.test] | list() |
-| test.py:175 | ArgumentRefinement(d_1) | test.py:169 | Taint {simple.test} | Dict |
-| test.py:175 | dict() | test.py:175 | Taint {simple.test} | dict() |
-| test.py:178 | SOURCE | test.py:178 | Taint simple.test | SOURCE |
-| test.py:180 | ArgumentRefinement(t_1) | test.py:178 | Taint simple.test | SOURCE |
-| test.py:180 | Pi(t_0) [true] | test.py:178 | Taint simple.test | SOURCE |
-| test.py:183 | SingleSuccessorGuard(t_2) [false] | test.py:178 | Taint simple.test | SOURCE |
-| test.py:186 | ArgumentRefinement(t_3) | test.py:178 | Taint simple.test | SOURCE |
-| test.py:189 | FALSEY | test.py:189 | Taint falsey | FALSEY |
-| test.py:191 | Pi(t_0) [true] | test.py:189 | Taint falsey | FALSEY |
-| test.py:194 | phi(t_2, t_4) | test.py:195 | Taint simple.test | SOURCE |
-| test.py:195 | SOURCE | test.py:195 | Taint simple.test | SOURCE |
-| test.py:197 | ArgumentRefinement(t_1) | test.py:195 | Taint simple.test | SOURCE |
-| test.py:197 | Pi(t_0) [true] | test.py:195 | Taint simple.test | SOURCE |
-| test.py:199 | ArgumentRefinement(t_3) | test.py:195 | Taint simple.test | SOURCE |
-| test.py:199 | Pi(t_0) [false] | test.py:195 | Taint simple.test | SOURCE |
-| test.py:202 | ITERABLE_SOURCE | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
-| test.py:203 | For | test.py:203 | Taint simple.test | For |
-| test.py:203 | phi(i_0, i_2) | test.py:203 | Taint simple.test | For |
-| test.py:208 | List | test.py:208 | Taint [simple.test] | List |
-| test.py:209 | For | test.py:209 | Taint simple.test | For |
-| test.py:209 | phi(i_0, i_2) | test.py:209 | Taint simple.test | For |
-| test.py:213 | For | test.py:213 | Taint simple.test | For |
-| test.py:213 | phi(x_2, x_3) | test.py:213 | Taint simple.test | For |
-| test.py:214 | ArgumentRefinement(x_1) | test.py:213 | Taint simple.test | For |
+| test.py:76 | SOURCE | test.py:76 | Taint simple.test | t |
+| test.py:77 | hub() | test.py:77 | Taint simple.test | t |
+| test.py:85 | ImportExpr | test.py:85 | Taint .dangerous = simple.test | module |
+| test.py:87 | ScopeEntryDefinition | test.py:87 | Taint .dangerous = simple.test | Function test13 |
+| test.py:88 | Attribute | test.py:88 | Taint simple.test | t |
+| test.py:91 | ScopeEntryDefinition | test.py:91 | Taint .dangerous = simple.test | Function test14 |
+| test.py:95 | ScopeEntryDefinition | test.py:95 | Taint .dangerous = simple.test | Function test15 |
+| test.py:99 | ScopeEntryDefinition | test.py:99 | Taint .dangerous = simple.test | Function test16 |
+| test.py:100 | Attribute() | test.py:100 | Taint simple.test | t |
+| test.py:105 | ParameterDefinition | test.py:105 | Taint .x = simple.test | arg |
+| test.py:108 | ScopeEntryDefinition | test.py:108 | Taint .dangerous = simple.test | Function test17 |
+| test.py:113 | ScopeEntryDefinition | test.py:113 | Taint .dangerous = simple.test | Function test18 |
+| test.py:116 | hub() | test.py:116 | Taint .x = simple.test | t |
+| test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | t |
+| test.py:121 | hub() | test.py:121 | Taint basic.custom | t |
+| test.py:126 | CUSTOM_SOURCE | test.py:126 | Taint basic.custom | t |
+| test.py:128 | SOURCE | test.py:128 | Taint simple.test | t |
+| test.py:136 | CUSTOM_SOURCE | test.py:136 | Taint basic.custom | t |
+| test.py:138 | SOURCE | test.py:138 | Taint simple.test | t |
+| test.py:146 | CUSTOM_SOURCE | test.py:146 | Taint basic.custom | t |
+| test.py:148 | SOURCE | test.py:148 | Taint simple.test | t |
+| test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | t |
+| test.py:155 | ImportMember | test.py:155 | Taint simple.test | unsafe |
+| test.py:159 | with | test.py:159 | Taint simple.test | t |
+| test.py:163 | SOURCE | test.py:163 | Taint simple.test | s |
+| test.py:168 | List | test.py:168 | Taint sequence of simple.test | l |
+| test.py:169 | Dict | test.py:169 | Taint dict of simple.test | d |
+| test.py:174 | list() | test.py:174 | Taint sequence of simple.test | l2 |
+| test.py:175 | dict() | test.py:175 | Taint dict of simple.test | d2 |
+| test.py:178 | SOURCE | test.py:178 | Taint simple.test | t |
+| test.py:189 | FALSEY | test.py:189 | Taint falsey | t |
+| test.py:195 | SOURCE | test.py:195 | Taint simple.test | t |
+| test.py:202 | ITERABLE_SOURCE | test.py:202 | Taint iterable.simple | t |
+| test.py:203 | For | test.py:203 | Taint simple.test | i |
+| test.py:208 | List | test.py:208 | Taint sequence of simple.test | seq |
+| test.py:209 | For | test.py:209 | Taint simple.test | i |
+| test.py:213 | For | test.py:213 | Taint simple.test | x |
--- a/python/ql/test/library-tests/taint/general/TestDefn.ql
+++ b/python/ql/test/library-tests/taint/general/TestDefn.ql
@@ -3,7 +3,7 @@ import semmle.python.security.TaintTest
 import TaintLib


-from EssaDefinition defn, TaintedNode n
-where TaintFlowTest::tainted_def(defn, _, n)
+from EssaNodeDefinition defn, TaintedNode n
+where n.getNode().asVariable() = defn.getVariable()
 select 
-    defn.getLocation().toString(), defn.getRepresentation(), n.getLocation().toString(), n.getTrackedValue(), n.getNode().getNode().toString()
+    defn.getLocation().toString(), defn.getRepresentation(), n.getLocation().toString(), "Taint " + n.toString(), defn.getDefiningNode().getNode().toString()
--- a/python/ql/test/library-tests/taint/general/TestNode.expected
+++ b/python/ql/test/library-tests/taint/general/TestNode.expected
@@ -1,246 +0,0 @@
-| Attribute 'attr' taint explicit.carrier | carrier.py:5 | self | carrier.py:33 |
-| Attribute 'attr' taint explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |
-| Attribute 'attr' taint explicit.carrier | carrier.py:34 | c |  |
-| Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:17 |
-| Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:25 |
-| Attribute 'attr' taint simple.test | carrier.py:13 | arg | carrier.py:25 |
-| Attribute 'attr' taint simple.test | carrier.py:14 | arg | carrier.py:25 |
-| Attribute 'attr' taint simple.test | carrier.py:17 | ImplicitCarrier() |  |
-| Attribute 'attr' taint simple.test | carrier.py:18 | c |  |
-| Attribute 'attr' taint simple.test | carrier.py:25 | ImplicitCarrier() |  |
-| Attribute 'attr' taint simple.test | carrier.py:25 | hub() |  |
-| Attribute 'attr' taint simple.test | carrier.py:26 | c |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |
-| Attribute 'dangerous' taint simple.test | test.py:88 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:92 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:96 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:100 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:110 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:115 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:155 | ImportExpr |  |
-| Attribute 'x' taint simple.test | test.py:72 | arg | test.py:116 |
-| Attribute 'x' taint simple.test | test.py:73 | arg | test.py:116 |
-| Attribute 'x' taint simple.test | test.py:105 | arg | test.py:117 |
-| Attribute 'x' taint simple.test | test.py:106 | arg | test.py:117 |
-| Attribute 'x' taint simple.test | test.py:110 | t |  |
-| Attribute 'x' taint simple.test | test.py:111 | t |  |
-| Attribute 'x' taint simple.test | test.py:115 | t |  |
-| Attribute 'x' taint simple.test | test.py:116 | hub() |  |
-| Attribute 'x' taint simple.test | test.py:116 | t |  |
-| Attribute 'x' taint simple.test | test.py:117 | t |  |
-| Taint Command injection | sanitizer.py:3 | arg | sanitizer.py:10 |
-| Taint Command injection | sanitizer.py:5 | arg | sanitizer.py:17 |
-| Taint Command injection | sanitizer.py:9 | user_input() |  |
-| Taint Command injection | sanitizer.py:10 | x |  |
-| Taint Command injection | sanitizer.py:11 | x |  |
-| Taint Command injection | sanitizer.py:13 | x |  |
-| Taint Command injection | sanitizer.py:16 | user_input() |  |
-| Taint Command injection | sanitizer.py:17 | x |  |
-| Taint Command injection | sanitizer.py:20 | x |  |
-| Taint Command injection | sanitizer.py:24 | user_input() |  |
-| Taint Command injection | sanitizer.py:25 | x |  |
-| Taint Command injection | sanitizer.py:26 | x |  |
-| Taint Command injection | sanitizer.py:28 | x |  |
-| Taint Command injection | sanitizer.py:31 | user_input() |  |
-| Taint Command injection | sanitizer.py:32 | x |  |
-| Taint Command injection | sanitizer.py:33 | x |  |
-| Taint Command injection | sanitizer.py:35 | x |  |
-| Taint SQL injection | sanitizer.py:3 | arg | sanitizer.py:10 |
-| Taint SQL injection | sanitizer.py:5 | arg | sanitizer.py:17 |
-| Taint SQL injection | sanitizer.py:9 | user_input() |  |
-| Taint SQL injection | sanitizer.py:10 | x |  |
-| Taint SQL injection | sanitizer.py:13 | x |  |
-| Taint SQL injection | sanitizer.py:16 | user_input() |  |
-| Taint SQL injection | sanitizer.py:17 | x |  |
-| Taint SQL injection | sanitizer.py:18 | x |  |
-| Taint SQL injection | sanitizer.py:20 | x |  |
-| Taint SQL injection | sanitizer.py:24 | user_input() |  |
-| Taint SQL injection | sanitizer.py:25 | x |  |
-| Taint SQL injection | sanitizer.py:26 | x |  |
-| Taint SQL injection | sanitizer.py:28 | x |  |
-| Taint SQL injection | sanitizer.py:31 | user_input() |  |
-| Taint SQL injection | sanitizer.py:32 | x |  |
-| Taint SQL injection | sanitizer.py:33 | x |  |
-| Taint SQL injection | sanitizer.py:35 | x |  |
-| Taint [simple.test] | test.py:168 | List |  |
-| Taint [simple.test] | test.py:170 | l |  |
-| Taint [simple.test] | test.py:172 | x |  |
-| Taint [simple.test] | test.py:174 | l |  |
-| Taint [simple.test] | test.py:174 | list() |  |
-| Taint [simple.test] | test.py:208 | List |  |
-| Taint [simple.test] | test.py:209 | seq |  |
-| Taint [simple.test] | test.py:213 | flow_in_generator() |  |
-| Taint basic.custom | test.py:72 | arg | test.py:121 |
-| Taint basic.custom | test.py:73 | arg | test.py:121 |
-| Taint basic.custom | test.py:120 | CUSTOM_SOURCE |  |
-| Taint basic.custom | test.py:121 | TAINT_FROM_ARG() |  |
-| Taint basic.custom | test.py:121 | hub() |  |
-| Taint basic.custom | test.py:121 | t |  |
-| Taint basic.custom | test.py:122 | t |  |
-| Taint basic.custom | test.py:126 | CUSTOM_SOURCE |  |
-| Taint basic.custom | test.py:130 | t |  |
-| Taint basic.custom | test.py:136 | CUSTOM_SOURCE |  |
-| Taint basic.custom | test.py:142 | t |  |
-| Taint basic.custom | test.py:146 | CUSTOM_SOURCE |  |
-| Taint basic.custom | test.py:149 | TAINT_FROM_ARG() |  |
-| Taint basic.custom | test.py:149 | t |  |
-| Taint basic.custom | test.py:151 | t |  |
-| Taint explicit.carrier | carrier.py:4 | arg | carrier.py:33 |
-| Taint explicit.carrier | carrier.py:5 | arg | carrier.py:33 |
-| Taint explicit.carrier | carrier.py:13 | arg | carrier.py:29 |
-| Taint explicit.carrier | carrier.py:14 | arg | carrier.py:29 |
-| Taint explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE |  |
-| Taint explicit.carrier | carrier.py:22 | c |  |
-| Taint explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  |
-| Taint explicit.carrier | carrier.py:29 | hub() |  |
-| Taint explicit.carrier | carrier.py:30 | c |  |
-| Taint explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  |
-| Taint explicit.carrier | carrier.py:34 | Attribute |  |
-| Taint explicit.carrier | carrier.py:35 | x |  |
-| Taint falsey | test.py:189 | FALSEY |  |
-| Taint falsey | test.py:190 | t |  |
-| Taint iterable.simple | test.py:202 | ITERABLE_SOURCE |  |
-| Taint iterable.simple | test.py:203 | t |  |
-| Taint paper | rockpaperscissors.py:6 | arg | rockpaperscissors.py:32 |
-| Taint paper | rockpaperscissors.py:9 | arg | rockpaperscissors.py:26 |
-| Taint paper | rockpaperscissors.py:25 | Attribute() |  |
-| Taint paper | rockpaperscissors.py:26 | y |  |
-| Taint paper | rockpaperscissors.py:30 | Attribute() |  |
-| Taint paper | rockpaperscissors.py:32 | y |  |
-| Taint rock | rockpaperscissors.py:6 | arg | rockpaperscissors.py:16 |
-| Taint rock | rockpaperscissors.py:16 | ROCK |  |
-| Taint rock | rockpaperscissors.py:19 | ROCK |  |
-| Taint rock | rockpaperscissors.py:20 | x |  |
-| Taint rock | rockpaperscissors.py:24 | ROCK |  |
-| Taint rock | rockpaperscissors.py:25 | x |  |
-| Taint scissors | rockpaperscissors.py:3 | arg | rockpaperscissors.py:13 |
-| Taint scissors | rockpaperscissors.py:6 | arg | rockpaperscissors.py:31 |
-| Taint scissors | rockpaperscissors.py:9 | arg | rockpaperscissors.py:21 |
-| Taint scissors | rockpaperscissors.py:13 | SCISSORS |  |
-| Taint scissors | rockpaperscissors.py:20 | Attribute() |  |
-| Taint scissors | rockpaperscissors.py:21 | y |  |
-| Taint scissors | rockpaperscissors.py:25 | Attribute() |  |
-| Taint scissors | rockpaperscissors.py:29 | SCISSORS |  |
-| Taint scissors | rockpaperscissors.py:30 | x |  |
-| Taint scissors | rockpaperscissors.py:31 | x |  |
-| Taint simple.test | carrier.py:4 | arg | carrier.py:17 |
-| Taint simple.test | carrier.py:4 | arg | carrier.py:25 |
-| Taint simple.test | carrier.py:5 | arg | carrier.py:17 |
-| Taint simple.test | carrier.py:5 | arg | carrier.py:25 |
-| Taint simple.test | carrier.py:17 | SOURCE |  |
-| Taint simple.test | carrier.py:18 | Attribute |  |
-| Taint simple.test | carrier.py:22 | Attribute() |  |
-| Taint simple.test | carrier.py:25 | SOURCE |  |
-| Taint simple.test | carrier.py:30 | Attribute() |  |
-| Taint simple.test | carrier.py:35 | Attribute() |  |
-| Taint simple.test | deep.py:2 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:3 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:5 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:6 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:6 | f1() | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:8 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:9 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:9 | f2() | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:11 | arg | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:12 | arg | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:12 | f3() | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:14 | arg | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:15 | arg | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:15 | f4() | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:17 | arg | deep.py:20 |
-| Taint simple.test | deep.py:18 | arg | deep.py:20 |
-| Taint simple.test | deep.py:18 | f5() | deep.py:20 |
-| Taint simple.test | deep.py:20 | SOURCE |  |
-| Taint simple.test | deep.py:20 | f6() |  |
-| Taint simple.test | deep.py:22 | x |  |
-| Taint simple.test | module.py:3 | SOURCE |  |
-| Taint simple.test | module.py:7 | SOURCE |  |
-| Taint simple.test | module.py:10 | SOURCE |  |
-| Taint simple.test | test.py:3 | SOURCE |  |
-| Taint simple.test | test.py:6 | SOURCE |  |
-| Taint simple.test | test.py:7 | s |  |
-| Taint simple.test | test.py:10 | SOURCE |  |
-| Taint simple.test | test.py:12 | arg | test.py:21 |
-| Taint simple.test | test.py:12 | arg | test.py:25 |
-| Taint simple.test | test.py:12 | arg | test.py:47 from test.py:55 |
-| Taint simple.test | test.py:12 | arg | test.py:51 from test.py:63 |
-| Taint simple.test | test.py:12 | arg | test.py:51 from test.py:70 |
-| Taint simple.test | test.py:13 | arg | test.py:21 |
-| Taint simple.test | test.py:13 | arg | test.py:25 |
-| Taint simple.test | test.py:13 | arg | test.py:47 from test.py:55 |
-| Taint simple.test | test.py:13 | arg | test.py:51 from test.py:63 |
-| Taint simple.test | test.py:13 | arg | test.py:51 from test.py:70 |
-| Taint simple.test | test.py:16 | source() |  |
-| Taint simple.test | test.py:17 | t |  |
-| Taint simple.test | test.py:20 | SOURCE |  |
-| Taint simple.test | test.py:21 | t |  |
-| Taint simple.test | test.py:24 | source() |  |
-| Taint simple.test | test.py:25 | t |  |
-| Taint simple.test | test.py:31 | SOURCE |  |
-| Taint simple.test | test.py:37 | SOURCE |  |
-| Taint simple.test | test.py:41 | t |  |
-| Taint simple.test | test.py:44 | source() |  |
-| Taint simple.test | test.py:46 | arg | test.py:55 |
-| Taint simple.test | test.py:47 | arg | test.py:55 |
-| Taint simple.test | test.py:49 | arg | test.py:63 |
-| Taint simple.test | test.py:49 | arg | test.py:70 |
-| Taint simple.test | test.py:51 | arg | test.py:63 |
-| Taint simple.test | test.py:51 | arg | test.py:70 |
-| Taint simple.test | test.py:54 | source2() |  |
-| Taint simple.test | test.py:55 | t |  |
-| Taint simple.test | test.py:62 | SOURCE |  |
-| Taint simple.test | test.py:63 | t |  |
-| Taint simple.test | test.py:67 | SOURCE |  |
-| Taint simple.test | test.py:70 | t |  |
-| Taint simple.test | test.py:72 | arg | test.py:77 |
-| Taint simple.test | test.py:73 | arg | test.py:77 |
-| Taint simple.test | test.py:76 | SOURCE |  |
-| Taint simple.test | test.py:77 | hub() |  |
-| Taint simple.test | test.py:77 | t |  |
-| Taint simple.test | test.py:78 | t |  |
-| Taint simple.test | test.py:88 | Attribute |  |
-| Taint simple.test | test.py:89 | t |  |
-| Taint simple.test | test.py:100 | Attribute() |  |
-| Taint simple.test | test.py:101 | t |  |
-| Taint simple.test | test.py:106 | Attribute | test.py:117 |
-| Taint simple.test | test.py:110 | Attribute |  |
-| Taint simple.test | test.py:111 | Attribute |  |
-| Taint simple.test | test.py:115 | Attribute |  |
-| Taint simple.test | test.py:128 | SOURCE |  |
-| Taint simple.test | test.py:132 | t |  |
-| Taint simple.test | test.py:138 | SOURCE |  |
-| Taint simple.test | test.py:140 | t |  |
-| Taint simple.test | test.py:148 | SOURCE |  |
-| Taint simple.test | test.py:149 | t |  |
-| Taint simple.test | test.py:155 | ImportMember |  |
-| Taint simple.test | test.py:156 | unsafe |  |
-| Taint simple.test | test.py:159 | SOURCE |  |
-| Taint simple.test | test.py:160 | t |  |
-| Taint simple.test | test.py:163 | SOURCE |  |
-| Taint simple.test | test.py:164 | s |  |
-| Taint simple.test | test.py:168 | SOURCE |  |
-| Taint simple.test | test.py:169 | SOURCE |  |
-| Taint simple.test | test.py:172 | Subscript |  |
-| Taint simple.test | test.py:173 | Subscript |  |
-| Taint simple.test | test.py:178 | SOURCE |  |
-| Taint simple.test | test.py:179 | t |  |
-| Taint simple.test | test.py:180 | t |  |
-| Taint simple.test | test.py:183 | t |  |
-| Taint simple.test | test.py:186 | t |  |
-| Taint simple.test | test.py:195 | SOURCE |  |
-| Taint simple.test | test.py:196 | t |  |
-| Taint simple.test | test.py:197 | t |  |
-| Taint simple.test | test.py:199 | t |  |
-| Taint simple.test | test.py:203 | For |  |
-| Taint simple.test | test.py:204 | i |  |
-| Taint simple.test | test.py:205 | i |  |
-| Taint simple.test | test.py:208 | SOURCE |  |
-| Taint simple.test | test.py:209 | For |  |
-| Taint simple.test | test.py:210 | i |  |
-| Taint simple.test | test.py:213 | For |  |
-| Taint simple.test | test.py:214 | x |  |
-| Taint {simple.test} | test.py:169 | Dict |  |
-| Taint {simple.test} | test.py:171 | d |  |
-| Taint {simple.test} | test.py:173 | y |  |
-| Taint {simple.test} | test.py:175 | d |  |
-| Taint {simple.test} | test.py:175 | dict() |  |
--- a/python/ql/test/library-tests/taint/general/TestNode.ql
+++ b/python/ql/test/library-tests/taint/general/TestNode.ql
@@ -1,8 +0,0 @@
-import python
-import semmle.python.security.TaintTracking
-import TaintLib
-
-
-from TaintedNode n
-select n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()
-
--- a/python/ql/test/library-tests/taint/general/TestSink.expected
+++ b/python/ql/test/library-tests/taint/general/TestSink.expected
@@ -14,6 +14,7 @@
 | rock | rockpaperscissors.py:24 | 26 | y | paper |
 | scissors | rockpaperscissors.py:13 | 13 | SCISSORS | scissors |
 | simple.test | carrier.py:17 | 18 | Attribute | simple.test |
+| simple.test | carrier.py:25 | 26 | Attribute() | simple.test |
 | simple.test | module.py:3 | 89 | t | simple.test |
 | simple.test | module.py:3 | 106 | Attribute | simple.test |
 | simple.test | module.py:3 | 111 | Attribute | simple.test |
--- a/python/ql/test/library-tests/taint/general/TestStep.expected
+++ b/python/ql/test/library-tests/taint/general/TestStep.expected
@@ -1,199 +1,201 @@
-| Attribute 'attr' taint explicit.carrier | carrier.py:5 | self | carrier.py:33 |  -->  | Attribute 'attr' taint explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |
-| Attribute 'attr' taint explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |  -->  | Attribute 'attr' taint explicit.carrier | carrier.py:34 | c |  |
-| Attribute 'attr' taint explicit.carrier | carrier.py:34 | c |  |  -->  | Taint explicit.carrier | carrier.py:34 | Attribute |  |
-| Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:17 |  -->  | Attribute 'attr' taint simple.test | carrier.py:17 | ImplicitCarrier() |  |
-| Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:25 |  -->  | Attribute 'attr' taint simple.test | carrier.py:25 | ImplicitCarrier() |  |
-| Attribute 'attr' taint simple.test | carrier.py:13 | arg | carrier.py:25 |  -->  | Attribute 'attr' taint simple.test | carrier.py:14 | arg | carrier.py:25 |
-| Attribute 'attr' taint simple.test | carrier.py:14 | arg | carrier.py:25 |  -->  | Attribute 'attr' taint simple.test | carrier.py:25 | hub() |  |
-| Attribute 'attr' taint simple.test | carrier.py:17 | ImplicitCarrier() |  |  -->  | Attribute 'attr' taint simple.test | carrier.py:18 | c |  |
-| Attribute 'attr' taint simple.test | carrier.py:18 | c |  |  -->  | Taint simple.test | carrier.py:18 | Attribute |  |
-| Attribute 'attr' taint simple.test | carrier.py:25 | ImplicitCarrier() |  |  -->  | Attribute 'attr' taint simple.test | carrier.py:13 | arg | carrier.py:25 |
-| Attribute 'attr' taint simple.test | carrier.py:25 | hub() |  |  -->  | Attribute 'attr' taint simple.test | carrier.py:26 | c |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:88 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:92 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:96 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:100 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:110 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:115 | module |  |
-| Attribute 'dangerous' taint simple.test | test.py:88 | module |  |  -->  | Taint simple.test | test.py:88 | Attribute |  |
-| Attribute 'dangerous' taint simple.test | test.py:110 | module |  |  -->  | Taint simple.test | test.py:110 | Attribute |  |
-| Attribute 'dangerous' taint simple.test | test.py:115 | module |  |  -->  | Taint simple.test | test.py:115 | Attribute |  |
-| Attribute 'x' taint simple.test | test.py:72 | arg | test.py:116 |  -->  | Attribute 'x' taint simple.test | test.py:73 | arg | test.py:116 |
-| Attribute 'x' taint simple.test | test.py:73 | arg | test.py:116 |  -->  | Attribute 'x' taint simple.test | test.py:116 | hub() |  |
-| Attribute 'x' taint simple.test | test.py:105 | arg | test.py:117 |  -->  | Attribute 'x' taint simple.test | test.py:106 | arg | test.py:117 |
-| Attribute 'x' taint simple.test | test.py:106 | arg | test.py:117 |  -->  | Taint simple.test | test.py:106 | Attribute | test.py:117 |
-| Attribute 'x' taint simple.test | test.py:110 | t |  |  -->  | Attribute 'x' taint simple.test | test.py:111 | t |  |
-| Attribute 'x' taint simple.test | test.py:111 | t |  |  -->  | Taint simple.test | test.py:111 | Attribute |  |
-| Attribute 'x' taint simple.test | test.py:115 | t |  |  -->  | Attribute 'x' taint simple.test | test.py:116 | t |  |
-| Attribute 'x' taint simple.test | test.py:116 | hub() |  |  -->  | Attribute 'x' taint simple.test | test.py:117 | t |  |
-| Attribute 'x' taint simple.test | test.py:116 | t |  |  -->  | Attribute 'x' taint simple.test | test.py:72 | arg | test.py:116 |
-| Attribute 'x' taint simple.test | test.py:117 | t |  |  -->  | Attribute 'x' taint simple.test | test.py:105 | arg | test.py:117 |
-| Taint Command injection | sanitizer.py:9 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:10 | x |  |
-| Taint Command injection | sanitizer.py:9 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:11 | x |  |
-| Taint Command injection | sanitizer.py:9 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:13 | x |  |
-| Taint Command injection | sanitizer.py:10 | x |  |  -->  | Taint Command injection | sanitizer.py:3 | arg | sanitizer.py:10 |
-| Taint Command injection | sanitizer.py:16 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:17 | x |  |
-| Taint Command injection | sanitizer.py:16 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:20 | x |  |
-| Taint Command injection | sanitizer.py:17 | x |  |  -->  | Taint Command injection | sanitizer.py:5 | arg | sanitizer.py:17 |
-| Taint Command injection | sanitizer.py:24 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:25 | x |  |
-| Taint Command injection | sanitizer.py:24 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:26 | x |  |
-| Taint Command injection | sanitizer.py:24 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:28 | x |  |
-| Taint Command injection | sanitizer.py:31 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:32 | x |  |
-| Taint Command injection | sanitizer.py:31 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:33 | x |  |
-| Taint Command injection | sanitizer.py:31 | user_input() |  |  -->  | Taint Command injection | sanitizer.py:35 | x |  |
-| Taint SQL injection | sanitizer.py:9 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:10 | x |  |
-| Taint SQL injection | sanitizer.py:9 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:13 | x |  |
-| Taint SQL injection | sanitizer.py:10 | x |  |  -->  | Taint SQL injection | sanitizer.py:3 | arg | sanitizer.py:10 |
-| Taint SQL injection | sanitizer.py:16 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:17 | x |  |
-| Taint SQL injection | sanitizer.py:16 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:18 | x |  |
-| Taint SQL injection | sanitizer.py:16 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:20 | x |  |
-| Taint SQL injection | sanitizer.py:17 | x |  |  -->  | Taint SQL injection | sanitizer.py:5 | arg | sanitizer.py:17 |
-| Taint SQL injection | sanitizer.py:24 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:25 | x |  |
-| Taint SQL injection | sanitizer.py:24 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:26 | x |  |
-| Taint SQL injection | sanitizer.py:24 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:28 | x |  |
-| Taint SQL injection | sanitizer.py:31 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:32 | x |  |
-| Taint SQL injection | sanitizer.py:31 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:33 | x |  |
-| Taint SQL injection | sanitizer.py:31 | user_input() |  |  -->  | Taint SQL injection | sanitizer.py:35 | x |  |
-| Taint [simple.test] | test.py:168 | List |  |  -->  | Taint [simple.test] | test.py:170 | l |  |
-| Taint [simple.test] | test.py:168 | List |  |  -->  | Taint [simple.test] | test.py:174 | l |  |
-| Taint [simple.test] | test.py:170 | l |  |  -->  | Taint [simple.test] | test.py:172 | x |  |
-| Taint [simple.test] | test.py:172 | x |  |  -->  | Taint simple.test | test.py:172 | Subscript |  |
-| Taint [simple.test] | test.py:174 | l |  |  -->  | Taint [simple.test] | test.py:174 | list() |  |
-| Taint [simple.test] | test.py:208 | List |  |  -->  | Taint [simple.test] | test.py:209 | seq |  |
-| Taint [simple.test] | test.py:209 | seq |  |  -->  | Taint simple.test | test.py:209 | For |  |
-| Taint [simple.test] | test.py:213 | flow_in_generator() |  |  -->  | Taint simple.test | test.py:213 | For |  |
-| Taint basic.custom | test.py:72 | arg | test.py:121 |  -->  | Taint basic.custom | test.py:73 | arg | test.py:121 |
-| Taint basic.custom | test.py:73 | arg | test.py:121 |  -->  | Taint basic.custom | test.py:121 | hub() |  |
-| Taint basic.custom | test.py:120 | CUSTOM_SOURCE |  |  -->  | Taint basic.custom | test.py:121 | t |  |
-| Taint basic.custom | test.py:121 | TAINT_FROM_ARG() |  |  -->  | Taint basic.custom | test.py:72 | arg | test.py:121 |
-| Taint basic.custom | test.py:121 | hub() |  |  -->  | Taint basic.custom | test.py:122 | t |  |
-| Taint basic.custom | test.py:121 | t |  |  -->  | Taint basic.custom | test.py:121 | TAINT_FROM_ARG() |  |
-| Taint basic.custom | test.py:126 | CUSTOM_SOURCE |  |  -->  | Taint basic.custom | test.py:130 | t |  |
-| Taint basic.custom | test.py:136 | CUSTOM_SOURCE |  |  -->  | Taint basic.custom | test.py:142 | t |  |
-| Taint basic.custom | test.py:146 | CUSTOM_SOURCE |  |  -->  | Taint basic.custom | test.py:149 | t |  |
-| Taint basic.custom | test.py:149 | TAINT_FROM_ARG() |  |  -->  | Taint basic.custom | test.py:151 | t |  |
-| Taint basic.custom | test.py:149 | t |  |  -->  | Taint basic.custom | test.py:149 | TAINT_FROM_ARG() |  |
-| Taint explicit.carrier | carrier.py:4 | arg | carrier.py:33 |  -->  | Taint explicit.carrier | carrier.py:5 | arg | carrier.py:33 |
-| Taint explicit.carrier | carrier.py:5 | arg | carrier.py:33 |  -->  | Attribute 'attr' taint explicit.carrier | carrier.py:5 | self | carrier.py:33 |
-| Taint explicit.carrier | carrier.py:13 | arg | carrier.py:29 |  -->  | Taint explicit.carrier | carrier.py:14 | arg | carrier.py:29 |
-| Taint explicit.carrier | carrier.py:14 | arg | carrier.py:29 |  -->  | Taint explicit.carrier | carrier.py:29 | hub() |  |
-| Taint explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE |  |  -->  | Taint explicit.carrier | carrier.py:22 | c |  |
-| Taint explicit.carrier | carrier.py:22 | c |  |  -->  | Taint simple.test | carrier.py:22 | Attribute() |  |
-| Taint explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  |  -->  | Taint explicit.carrier | carrier.py:13 | arg | carrier.py:29 |
-| Taint explicit.carrier | carrier.py:29 | hub() |  |  -->  | Taint explicit.carrier | carrier.py:30 | c |  |
-| Taint explicit.carrier | carrier.py:30 | c |  |  -->  | Taint simple.test | carrier.py:30 | Attribute() |  |
-| Taint explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  |  -->  | Taint explicit.carrier | carrier.py:4 | arg | carrier.py:33 |
-| Taint explicit.carrier | carrier.py:34 | Attribute |  |  -->  | Taint explicit.carrier | carrier.py:35 | x |  |
-| Taint explicit.carrier | carrier.py:35 | x |  |  -->  | Taint simple.test | carrier.py:35 | Attribute() |  |
-| Taint falsey | test.py:189 | FALSEY |  |  -->  | Taint falsey | test.py:190 | t |  |
-| Taint iterable.simple | test.py:202 | ITERABLE_SOURCE |  |  -->  | Taint iterable.simple | test.py:203 | t |  |
-| Taint iterable.simple | test.py:203 | t |  |  -->  | Taint simple.test | test.py:203 | For |  |
-| Taint paper | rockpaperscissors.py:25 | Attribute() |  |  -->  | Taint paper | rockpaperscissors.py:26 | y |  |
-| Taint paper | rockpaperscissors.py:26 | y |  |  -->  | Taint paper | rockpaperscissors.py:9 | arg | rockpaperscissors.py:26 |
-| Taint paper | rockpaperscissors.py:30 | Attribute() |  |  -->  | Taint paper | rockpaperscissors.py:32 | y |  |
-| Taint paper | rockpaperscissors.py:32 | y |  |  -->  | Taint paper | rockpaperscissors.py:6 | arg | rockpaperscissors.py:32 |
-| Taint rock | rockpaperscissors.py:16 | ROCK |  |  -->  | Taint rock | rockpaperscissors.py:6 | arg | rockpaperscissors.py:16 |
-| Taint rock | rockpaperscissors.py:19 | ROCK |  |  -->  | Taint rock | rockpaperscissors.py:20 | x |  |
-| Taint rock | rockpaperscissors.py:20 | x |  |  -->  | Taint scissors | rockpaperscissors.py:20 | Attribute() |  |
-| Taint rock | rockpaperscissors.py:24 | ROCK |  |  -->  | Taint rock | rockpaperscissors.py:25 | x |  |
-| Taint rock | rockpaperscissors.py:25 | x |  |  -->  | Taint scissors | rockpaperscissors.py:25 | Attribute() |  |
-| Taint scissors | rockpaperscissors.py:13 | SCISSORS |  |  -->  | Taint scissors | rockpaperscissors.py:3 | arg | rockpaperscissors.py:13 |
-| Taint scissors | rockpaperscissors.py:20 | Attribute() |  |  -->  | Taint scissors | rockpaperscissors.py:21 | y |  |
-| Taint scissors | rockpaperscissors.py:21 | y |  |  -->  | Taint scissors | rockpaperscissors.py:9 | arg | rockpaperscissors.py:21 |
-| Taint scissors | rockpaperscissors.py:25 | Attribute() |  |  -->  | Taint paper | rockpaperscissors.py:25 | Attribute() |  |
-| Taint scissors | rockpaperscissors.py:29 | SCISSORS |  |  -->  | Taint scissors | rockpaperscissors.py:30 | x |  |
-| Taint scissors | rockpaperscissors.py:29 | SCISSORS |  |  -->  | Taint scissors | rockpaperscissors.py:31 | x |  |
-| Taint scissors | rockpaperscissors.py:30 | x |  |  -->  | Taint paper | rockpaperscissors.py:30 | Attribute() |  |
-| Taint scissors | rockpaperscissors.py:31 | x |  |  -->  | Taint scissors | rockpaperscissors.py:6 | arg | rockpaperscissors.py:31 |
-| Taint simple.test | carrier.py:4 | arg | carrier.py:17 |  -->  | Taint simple.test | carrier.py:5 | arg | carrier.py:17 |
-| Taint simple.test | carrier.py:4 | arg | carrier.py:25 |  -->  | Taint simple.test | carrier.py:5 | arg | carrier.py:25 |
-| Taint simple.test | carrier.py:5 | arg | carrier.py:17 |  -->  | Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:17 |
-| Taint simple.test | carrier.py:5 | arg | carrier.py:25 |  -->  | Attribute 'attr' taint simple.test | carrier.py:5 | self | carrier.py:25 |
-| Taint simple.test | carrier.py:17 | SOURCE |  |  -->  | Taint simple.test | carrier.py:4 | arg | carrier.py:17 |
-| Taint simple.test | carrier.py:25 | SOURCE |  |  -->  | Taint simple.test | carrier.py:4 | arg | carrier.py:25 |
-| Taint simple.test | deep.py:2 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:3 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:3 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:6 | f1() | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:5 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:6 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:6 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:2 | arg | deep.py:6 from deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:6 | f1() | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:9 | f2() | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:8 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:9 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:9 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:5 | arg | deep.py:9 from deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:9 | f2() | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:12 | f3() | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:11 | arg | deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:12 | arg | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:12 | arg | deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:8 | arg | deep.py:12 from deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:12 | f3() | deep.py:15 from deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:15 | f4() | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:14 | arg | deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:15 | arg | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:15 | arg | deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:11 | arg | deep.py:15 from deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:15 | f4() | deep.py:18 from deep.py:20 |  -->  | Taint simple.test | deep.py:18 | f5() | deep.py:20 |
-| Taint simple.test | deep.py:17 | arg | deep.py:20 |  -->  | Taint simple.test | deep.py:18 | arg | deep.py:20 |
-| Taint simple.test | deep.py:18 | arg | deep.py:20 |  -->  | Taint simple.test | deep.py:14 | arg | deep.py:18 from deep.py:20 |
-| Taint simple.test | deep.py:18 | f5() | deep.py:20 |  -->  | Taint simple.test | deep.py:20 | f6() |  |
-| Taint simple.test | deep.py:20 | SOURCE |  |  -->  | Taint simple.test | deep.py:17 | arg | deep.py:20 |
-| Taint simple.test | deep.py:20 | f6() |  |  -->  | Taint simple.test | deep.py:22 | x |  |
-| Taint simple.test | module.py:3 | SOURCE |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:85 | ImportExpr |  |
-| Taint simple.test | module.py:3 | SOURCE |  |  -->  | Attribute 'dangerous' taint simple.test | test.py:155 | ImportExpr |  |
-| Taint simple.test | module.py:3 | SOURCE |  |  -->  | Taint simple.test | test.py:155 | ImportMember |  |
-| Taint simple.test | module.py:7 | SOURCE |  |  -->  | Taint simple.test | test.py:100 | Attribute() |  |
-| Taint simple.test | test.py:6 | SOURCE |  |  -->  | Taint simple.test | test.py:7 | s |  |
-| Taint simple.test | test.py:10 | SOURCE |  |  -->  | Taint simple.test | test.py:16 | source() |  |
-| Taint simple.test | test.py:10 | SOURCE |  |  -->  | Taint simple.test | test.py:24 | source() |  |
-| Taint simple.test | test.py:10 | SOURCE |  |  -->  | Taint simple.test | test.py:44 | source() |  |
-| Taint simple.test | test.py:12 | arg | test.py:21 |  -->  | Taint simple.test | test.py:13 | arg | test.py:21 |
-| Taint simple.test | test.py:12 | arg | test.py:25 |  -->  | Taint simple.test | test.py:13 | arg | test.py:25 |
-| Taint simple.test | test.py:12 | arg | test.py:47 from test.py:55 |  -->  | Taint simple.test | test.py:13 | arg | test.py:47 from test.py:55 |
-| Taint simple.test | test.py:12 | arg | test.py:51 from test.py:63 |  -->  | Taint simple.test | test.py:13 | arg | test.py:51 from test.py:63 |
-| Taint simple.test | test.py:12 | arg | test.py:51 from test.py:70 |  -->  | Taint simple.test | test.py:13 | arg | test.py:51 from test.py:70 |
-| Taint simple.test | test.py:16 | source() |  |  -->  | Taint simple.test | test.py:17 | t |  |
-| Taint simple.test | test.py:20 | SOURCE |  |  -->  | Taint simple.test | test.py:21 | t |  |
-| Taint simple.test | test.py:21 | t |  |  -->  | Taint simple.test | test.py:12 | arg | test.py:21 |
-| Taint simple.test | test.py:24 | source() |  |  -->  | Taint simple.test | test.py:25 | t |  |
-| Taint simple.test | test.py:25 | t |  |  -->  | Taint simple.test | test.py:12 | arg | test.py:25 |
-| Taint simple.test | test.py:37 | SOURCE |  |  -->  | Taint simple.test | test.py:41 | t |  |
-| Taint simple.test | test.py:44 | source() |  |  -->  | Taint simple.test | test.py:54 | source2() |  |
-| Taint simple.test | test.py:46 | arg | test.py:55 |  -->  | Taint simple.test | test.py:47 | arg | test.py:55 |
-| Taint simple.test | test.py:47 | arg | test.py:55 |  -->  | Taint simple.test | test.py:12 | arg | test.py:47 from test.py:55 |
-| Taint simple.test | test.py:49 | arg | test.py:63 |  -->  | Taint simple.test | test.py:51 | arg | test.py:63 |
-| Taint simple.test | test.py:49 | arg | test.py:70 |  -->  | Taint simple.test | test.py:51 | arg | test.py:70 |
-| Taint simple.test | test.py:51 | arg | test.py:63 |  -->  | Taint simple.test | test.py:12 | arg | test.py:51 from test.py:63 |
-| Taint simple.test | test.py:51 | arg | test.py:70 |  -->  | Taint simple.test | test.py:12 | arg | test.py:51 from test.py:70 |
-| Taint simple.test | test.py:54 | source2() |  |  -->  | Taint simple.test | test.py:55 | t |  |
-| Taint simple.test | test.py:55 | t |  |  -->  | Taint simple.test | test.py:46 | arg | test.py:55 |
-| Taint simple.test | test.py:62 | SOURCE |  |  -->  | Taint simple.test | test.py:63 | t |  |
-| Taint simple.test | test.py:63 | t |  |  -->  | Taint simple.test | test.py:49 | arg | test.py:63 |
-| Taint simple.test | test.py:67 | SOURCE |  |  -->  | Taint simple.test | test.py:70 | t |  |
-| Taint simple.test | test.py:70 | t |  |  -->  | Taint simple.test | test.py:49 | arg | test.py:70 |
-| Taint simple.test | test.py:72 | arg | test.py:77 |  -->  | Taint simple.test | test.py:73 | arg | test.py:77 |
-| Taint simple.test | test.py:73 | arg | test.py:77 |  -->  | Taint simple.test | test.py:77 | hub() |  |
-| Taint simple.test | test.py:76 | SOURCE |  |  -->  | Taint simple.test | test.py:77 | t |  |
-| Taint simple.test | test.py:77 | hub() |  |  -->  | Taint simple.test | test.py:78 | t |  |
-| Taint simple.test | test.py:77 | t |  |  -->  | Taint simple.test | test.py:72 | arg | test.py:77 |
-| Taint simple.test | test.py:88 | Attribute |  |  -->  | Taint simple.test | test.py:89 | t |  |
-| Taint simple.test | test.py:100 | Attribute() |  |  -->  | Taint simple.test | test.py:101 | t |  |
-| Taint simple.test | test.py:110 | Attribute |  |  -->  | Attribute 'x' taint simple.test | test.py:110 | t |  |
-| Taint simple.test | test.py:115 | Attribute |  |  -->  | Attribute 'x' taint simple.test | test.py:115 | t |  |
-| Taint simple.test | test.py:128 | SOURCE |  |  -->  | Taint simple.test | test.py:132 | t |  |
-| Taint simple.test | test.py:138 | SOURCE |  |  -->  | Taint simple.test | test.py:140 | t |  |
-| Taint simple.test | test.py:148 | SOURCE |  |  -->  | Taint simple.test | test.py:149 | t |  |
-| Taint simple.test | test.py:155 | ImportMember |  |  -->  | Taint simple.test | test.py:156 | unsafe |  |
-| Taint simple.test | test.py:159 | SOURCE |  |  -->  | Taint simple.test | test.py:160 | t |  |
-| Taint simple.test | test.py:163 | SOURCE |  |  -->  | Taint simple.test | test.py:164 | s |  |
-| Taint simple.test | test.py:168 | SOURCE |  |  -->  | Taint [simple.test] | test.py:168 | List |  |
-| Taint simple.test | test.py:169 | SOURCE |  |  -->  | Taint {simple.test} | test.py:169 | Dict |  |
-| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:179 | t |  |
-| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:180 | t |  |
-| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:183 | t |  |
-| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:186 | t |  |
-| Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:196 | t |  |
-| Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:197 | t |  |
-| Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:199 | t |  |
-| Taint simple.test | test.py:203 | For |  |  -->  | Taint simple.test | test.py:204 | i |  |
-| Taint simple.test | test.py:203 | For |  |  -->  | Taint simple.test | test.py:205 | i |  |
-| Taint simple.test | test.py:208 | SOURCE |  |  -->  | Taint [simple.test] | test.py:208 | List |  |
-| Taint simple.test | test.py:209 | For |  |  -->  | Taint simple.test | test.py:210 | i |  |
-| Taint simple.test | test.py:210 | i |  |  -->  | Taint [simple.test] | test.py:213 | flow_in_generator() |  |
-| Taint simple.test | test.py:213 | For |  |  -->  | Taint simple.test | test.py:214 | x |  |
-| Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:171 | d |  |
-| Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:175 | d |  |
-| Taint {simple.test} | test.py:171 | d |  |  -->  | Taint {simple.test} | test.py:173 | y |  |
-| Taint {simple.test} | test.py:173 | y |  |  -->  | Taint simple.test | test.py:173 | Subscript |  |
-| Taint {simple.test} | test.py:175 | d |  |  -->  | Taint {simple.test} | test.py:175 | dict() |  |
+| .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() |  | --> | .attr = explicit.carrier | carrier.py:34 | c |  |
+| .attr = explicit.carrier | carrier.py:34 | c |  | --> | explicit.carrier | carrier.py:34 | Attribute |  |
+| .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test |
+| .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test | --> | simple.test | carrier.py:11 | Attribute | p0.attr = simple.test |
+| .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:14 | arg | p0.attr = simple.test |
+| .attr = simple.test | carrier.py:17 | ImplicitCarrier() |  | --> | .attr = simple.test | carrier.py:18 | c |  |
+| .attr = simple.test | carrier.py:18 | c |  | --> | simple.test | carrier.py:18 | Attribute |  |
+| .attr = simple.test | carrier.py:25 | ImplicitCarrier() |  | --> | .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test |
+| .attr = simple.test | carrier.py:25 | ImplicitCarrier() |  | --> | .attr = simple.test | carrier.py:25 | hub() |  |
+| .attr = simple.test | carrier.py:25 | hub() |  | --> | .attr = simple.test | carrier.py:26 | c |  |
+| .attr = simple.test | carrier.py:26 | c |  | --> | .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test |
+| .attr = simple.test | carrier.py:26 | c |  | --> | simple.test | carrier.py:26 | Attribute() |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:88 | module |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:92 | module |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:96 | module |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:100 | module |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:110 | module |  |
+| .dangerous = simple.test | test.py:85 | ImportExpr |  | --> | .dangerous = simple.test | test.py:115 | module |  |
+| .dangerous = simple.test | test.py:88 | module |  | --> | simple.test | test.py:88 | Attribute |  |
+| .dangerous = simple.test | test.py:110 | module |  | --> | simple.test | test.py:110 | Attribute |  |
+| .dangerous = simple.test | test.py:115 | module |  | --> | simple.test | test.py:115 | Attribute |  |
+| .x = simple.test | test.py:72 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:73 | arg | p0.x = simple.test |
+| .x = simple.test | test.py:105 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:106 | arg | p0.x = simple.test |
+| .x = simple.test | test.py:106 | arg | p0.x = simple.test | --> | simple.test | test.py:106 | Attribute | p0.x = simple.test |
+| .x = simple.test | test.py:111 | t |  | --> | simple.test | test.py:111 | Attribute |  |
+| .x = simple.test | test.py:116 | hub() |  | --> | .x = simple.test | test.py:117 | t |  |
+| .x = simple.test | test.py:116 | t |  | --> | .x = simple.test | test.py:72 | arg | p0.x = simple.test |
+| .x = simple.test | test.py:116 | t |  | --> | .x = simple.test | test.py:116 | hub() |  |
+| .x = simple.test | test.py:117 | t |  | --> | .x = simple.test | test.py:105 | arg | p0.x = simple.test |
+| Command injection | sanitizer.py:9 | user_input() |  | --> | Command injection | sanitizer.py:10 | x |  |
+| Command injection | sanitizer.py:9 | user_input() |  | --> | Command injection | sanitizer.py:11 | x |  |
+| Command injection | sanitizer.py:9 | user_input() |  | --> | Command injection | sanitizer.py:13 | x |  |
+| Command injection | sanitizer.py:10 | x |  | --> | Command injection | sanitizer.py:3 | arg | p0 = Command injection |
+| Command injection | sanitizer.py:16 | user_input() |  | --> | Command injection | sanitizer.py:17 | x |  |
+| Command injection | sanitizer.py:16 | user_input() |  | --> | Command injection | sanitizer.py:20 | x |  |
+| Command injection | sanitizer.py:17 | x |  | --> | Command injection | sanitizer.py:5 | arg | p0 = Command injection |
+| Command injection | sanitizer.py:24 | user_input() |  | --> | Command injection | sanitizer.py:25 | x |  |
+| Command injection | sanitizer.py:24 | user_input() |  | --> | Command injection | sanitizer.py:26 | x |  |
+| Command injection | sanitizer.py:24 | user_input() |  | --> | Command injection | sanitizer.py:28 | x |  |
+| Command injection | sanitizer.py:31 | user_input() |  | --> | Command injection | sanitizer.py:32 | x |  |
+| Command injection | sanitizer.py:31 | user_input() |  | --> | Command injection | sanitizer.py:33 | x |  |
+| Command injection | sanitizer.py:31 | user_input() |  | --> | Command injection | sanitizer.py:35 | x |  |
+| SQL injection | sanitizer.py:9 | user_input() |  | --> | SQL injection | sanitizer.py:10 | x |  |
+| SQL injection | sanitizer.py:9 | user_input() |  | --> | SQL injection | sanitizer.py:13 | x |  |
+| SQL injection | sanitizer.py:10 | x |  | --> | SQL injection | sanitizer.py:3 | arg | p0 = SQL injection |
+| SQL injection | sanitizer.py:16 | user_input() |  | --> | SQL injection | sanitizer.py:17 | x |  |
+| SQL injection | sanitizer.py:16 | user_input() |  | --> | SQL injection | sanitizer.py:18 | x |  |
+| SQL injection | sanitizer.py:16 | user_input() |  | --> | SQL injection | sanitizer.py:20 | x |  |
+| SQL injection | sanitizer.py:17 | x |  | --> | SQL injection | sanitizer.py:5 | arg | p0 = SQL injection |
+| SQL injection | sanitizer.py:24 | user_input() |  | --> | SQL injection | sanitizer.py:25 | x |  |
+| SQL injection | sanitizer.py:24 | user_input() |  | --> | SQL injection | sanitizer.py:26 | x |  |
+| SQL injection | sanitizer.py:24 | user_input() |  | --> | SQL injection | sanitizer.py:28 | x |  |
+| SQL injection | sanitizer.py:31 | user_input() |  | --> | SQL injection | sanitizer.py:32 | x |  |
+| SQL injection | sanitizer.py:31 | user_input() |  | --> | SQL injection | sanitizer.py:33 | x |  |
+| SQL injection | sanitizer.py:31 | user_input() |  | --> | SQL injection | sanitizer.py:35 | x |  |
+| basic.custom | test.py:72 | arg | p0 = basic.custom | --> | basic.custom | test.py:73 | arg | p0 = basic.custom |
+| basic.custom | test.py:120 | CUSTOM_SOURCE |  | --> | basic.custom | test.py:121 | t |  |
+| basic.custom | test.py:121 | TAINT_FROM_ARG() |  | --> | basic.custom | test.py:72 | arg | p0 = basic.custom |
+| basic.custom | test.py:121 | TAINT_FROM_ARG() |  | --> | basic.custom | test.py:121 | hub() |  |
+| basic.custom | test.py:121 | hub() |  | --> | basic.custom | test.py:122 | t |  |
+| basic.custom | test.py:121 | t |  | --> | basic.custom | test.py:121 | TAINT_FROM_ARG() |  |
+| basic.custom | test.py:126 | CUSTOM_SOURCE |  | --> | basic.custom | test.py:130 | t |  |
+| basic.custom | test.py:136 | CUSTOM_SOURCE |  | --> | basic.custom | test.py:142 | t |  |
+| basic.custom | test.py:146 | CUSTOM_SOURCE |  | --> | basic.custom | test.py:149 | t |  |
+| basic.custom | test.py:149 | TAINT_FROM_ARG() |  | --> | basic.custom | test.py:151 | t |  |
+| basic.custom | test.py:149 | t |  | --> | basic.custom | test.py:149 | TAINT_FROM_ARG() |  |
+| dict of simple.test | test.py:169 | Dict |  | --> | dict of simple.test | test.py:171 | d |  |
+| dict of simple.test | test.py:169 | Dict |  | --> | dict of simple.test | test.py:175 | d |  |
+| dict of simple.test | test.py:171 | SSA variable y |  | --> | dict of simple.test | test.py:173 | y |  |
+| dict of simple.test | test.py:171 | d |  | --> | dict of simple.test | test.py:171 | SSA variable y |  |
+| dict of simple.test | test.py:173 | y |  | --> | simple.test | test.py:173 | Subscript |  |
+| dict of simple.test | test.py:175 | d |  | --> | dict of simple.test | test.py:175 | dict() |  |
+| explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier | --> | explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier |
+| explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier | --> | explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier |
+| explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE |  | --> | explicit.carrier | carrier.py:22 | c |  |
+| explicit.carrier | carrier.py:22 | c |  | --> | simple.test | carrier.py:22 | Attribute() |  |
+| explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  | --> | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier |
+| explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE |  | --> | explicit.carrier | carrier.py:29 | hub() |  |
+| explicit.carrier | carrier.py:29 | hub() |  | --> | explicit.carrier | carrier.py:30 | c |  |
+| explicit.carrier | carrier.py:30 | c |  | --> | simple.test | carrier.py:30 | Attribute() |  |
+| explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  | --> | .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() |  |
+| explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE |  | --> | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier |
+| explicit.carrier | carrier.py:34 | Attribute |  | --> | explicit.carrier | carrier.py:35 | x |  |
+| explicit.carrier | carrier.py:35 | x |  | --> | simple.test | carrier.py:35 | Attribute() |  |
+| falsey | test.py:189 | FALSEY |  | --> | falsey | test.py:190 | t |  |
+| iterable.simple | test.py:202 | ITERABLE_SOURCE |  | --> | iterable.simple | test.py:203 | t |  |
+| iterable.simple | test.py:203 | t |  | --> | simple.test | test.py:203 | For |  |
+| iterable.simple | test.py:213 | flow_in_generator() |  | --> | simple.test | test.py:213 | For |  |
+| paper | rockpaperscissors.py:25 | Attribute() |  | --> | paper | rockpaperscissors.py:26 | y |  |
+| paper | rockpaperscissors.py:26 | y |  | --> | paper | rockpaperscissors.py:9 | arg | p0 = paper |
+| paper | rockpaperscissors.py:30 | Attribute() |  | --> | paper | rockpaperscissors.py:32 | y |  |
+| paper | rockpaperscissors.py:32 | y |  | --> | paper | rockpaperscissors.py:6 | arg | p0 = paper |
+| rock | rockpaperscissors.py:16 | ROCK |  | --> | rock | rockpaperscissors.py:6 | arg | p0 = rock |
+| rock | rockpaperscissors.py:19 | ROCK |  | --> | rock | rockpaperscissors.py:20 | x |  |
+| rock | rockpaperscissors.py:20 | x |  | --> | scissors | rockpaperscissors.py:20 | Attribute() |  |
+| rock | rockpaperscissors.py:24 | ROCK |  | --> | rock | rockpaperscissors.py:25 | x |  |
+| rock | rockpaperscissors.py:25 | x |  | --> | scissors | rockpaperscissors.py:25 | Attribute() |  |
+| scissors | rockpaperscissors.py:13 | SCISSORS |  | --> | scissors | rockpaperscissors.py:3 | arg | p0 = scissors |
+| scissors | rockpaperscissors.py:20 | Attribute() |  | --> | scissors | rockpaperscissors.py:21 | y |  |
+| scissors | rockpaperscissors.py:21 | y |  | --> | scissors | rockpaperscissors.py:9 | arg | p0 = scissors |
+| scissors | rockpaperscissors.py:25 | Attribute() |  | --> | paper | rockpaperscissors.py:25 | Attribute() |  |
+| scissors | rockpaperscissors.py:29 | SCISSORS |  | --> | scissors | rockpaperscissors.py:30 | x |  |
+| scissors | rockpaperscissors.py:29 | SCISSORS |  | --> | scissors | rockpaperscissors.py:31 | x |  |
+| scissors | rockpaperscissors.py:30 | x |  | --> | paper | rockpaperscissors.py:30 | Attribute() |  |
+| scissors | rockpaperscissors.py:31 | x |  | --> | scissors | rockpaperscissors.py:6 | arg | p0 = scissors |
+| sequence of simple.test | test.py:168 | List |  | --> | sequence of simple.test | test.py:170 | l |  |
+| sequence of simple.test | test.py:168 | List |  | --> | sequence of simple.test | test.py:174 | l |  |
+| sequence of simple.test | test.py:170 | SSA variable x |  | --> | sequence of simple.test | test.py:172 | x |  |
+| sequence of simple.test | test.py:170 | l |  | --> | sequence of simple.test | test.py:170 | SSA variable x |  |
+| sequence of simple.test | test.py:172 | x |  | --> | simple.test | test.py:172 | Subscript |  |
+| sequence of simple.test | test.py:174 | l |  | --> | sequence of simple.test | test.py:174 | list() |  |
+| sequence of simple.test | test.py:208 | List |  | --> | sequence of simple.test | test.py:209 | seq |  |
+| sequence of simple.test | test.py:209 | seq |  | --> | simple.test | test.py:209 | For |  |
+| sequence of simple.test | test.py:213 | flow_in_generator() |  | --> | simple.test | test.py:213 | For |  |
+| simple.test | carrier.py:4 | arg | p1 = simple.test | --> | simple.test | carrier.py:5 | arg | p1 = simple.test |
+| simple.test | carrier.py:17 | SOURCE |  | --> | .attr = simple.test | carrier.py:17 | ImplicitCarrier() |  |
+| simple.test | carrier.py:17 | SOURCE |  | --> | simple.test | carrier.py:4 | arg | p1 = simple.test |
+| simple.test | carrier.py:25 | SOURCE |  | --> | .attr = simple.test | carrier.py:25 | ImplicitCarrier() |  |
+| simple.test | carrier.py:25 | SOURCE |  | --> | simple.test | carrier.py:4 | arg | p1 = simple.test |
+| simple.test | deep.py:2 | arg | p0 = simple.test | --> | simple.test | deep.py:3 | arg | p0 = simple.test |
+| simple.test | deep.py:5 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | arg | p0 = simple.test |
+| simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:2 | arg | p0 = simple.test |
+| simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | f1() | p0 = simple.test |
+| simple.test | deep.py:8 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | arg | p0 = simple.test |
+| simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:5 | arg | p0 = simple.test |
+| simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | f2() | p0 = simple.test |
+| simple.test | deep.py:11 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | arg | p0 = simple.test |
+| simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:8 | arg | p0 = simple.test |
+| simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | f3() | p0 = simple.test |
+| simple.test | deep.py:14 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | arg | p0 = simple.test |
+| simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:11 | arg | p0 = simple.test |
+| simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | f4() | p0 = simple.test |
+| simple.test | deep.py:17 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | arg | p0 = simple.test |
+| simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:14 | arg | p0 = simple.test |
+| simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | f5() | p0 = simple.test |
+| simple.test | deep.py:20 | SOURCE |  | --> | simple.test | deep.py:17 | arg | p0 = simple.test |
+| simple.test | deep.py:20 | SOURCE |  | --> | simple.test | deep.py:20 | f6() |  |
+| simple.test | deep.py:20 | f6() |  | --> | simple.test | deep.py:22 | x |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:85 | ImportExpr |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:88 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:92 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:96 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:100 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:110 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:115 | module |  |
+| simple.test | module.py:3 | SOURCE |  | --> | .dangerous = simple.test | test.py:155 | ImportExpr |  |
+| simple.test | module.py:3 | SOURCE |  | --> | simple.test | test.py:155 | ImportMember |  |
+| simple.test | module.py:7 | SOURCE |  | --> | simple.test | test.py:100 | Attribute() |  |
+| simple.test | test.py:6 | SOURCE |  | --> | simple.test | test.py:7 | s |  |
+| simple.test | test.py:10 | SOURCE |  | --> | simple.test | test.py:16 | source() |  |
+| simple.test | test.py:10 | SOURCE |  | --> | simple.test | test.py:24 | source() |  |
+| simple.test | test.py:10 | SOURCE |  | --> | simple.test | test.py:44 | source() |  |
+| simple.test | test.py:12 | arg | p0 = simple.test | --> | simple.test | test.py:13 | arg | p0 = simple.test |
+| simple.test | test.py:16 | source() |  | --> | simple.test | test.py:17 | t |  |
+| simple.test | test.py:20 | SOURCE |  | --> | simple.test | test.py:21 | t |  |
+| simple.test | test.py:21 | t |  | --> | simple.test | test.py:12 | arg | p0 = simple.test |
+| simple.test | test.py:24 | source() |  | --> | simple.test | test.py:25 | t |  |
+| simple.test | test.py:25 | t |  | --> | simple.test | test.py:12 | arg | p0 = simple.test |
+| simple.test | test.py:37 | SOURCE |  | --> | simple.test | test.py:41 | t |  |
+| simple.test | test.py:44 | source() |  | --> | simple.test | test.py:54 | source2() |  |
+| simple.test | test.py:46 | arg | p0 = simple.test | --> | simple.test | test.py:47 | arg | p0 = simple.test |
+| simple.test | test.py:47 | arg | p0 = simple.test | --> | simple.test | test.py:12 | arg | p0 = simple.test |
+| simple.test | test.py:49 | arg | p1 = simple.test | --> | simple.test | test.py:51 | arg | p1 = simple.test |
+| simple.test | test.py:51 | arg | p1 = simple.test | --> | simple.test | test.py:12 | arg | p0 = simple.test |
+| simple.test | test.py:54 | source2() |  | --> | simple.test | test.py:55 | t |  |
+| simple.test | test.py:55 | t |  | --> | simple.test | test.py:46 | arg | p0 = simple.test |
+| simple.test | test.py:62 | SOURCE |  | --> | simple.test | test.py:63 | t |  |
+| simple.test | test.py:63 | t |  | --> | simple.test | test.py:49 | arg | p1 = simple.test |
+| simple.test | test.py:67 | SOURCE |  | --> | simple.test | test.py:70 | t |  |
+| simple.test | test.py:70 | t |  | --> | simple.test | test.py:49 | arg | p1 = simple.test |
+| simple.test | test.py:72 | arg | p0 = simple.test | --> | simple.test | test.py:73 | arg | p0 = simple.test |
+| simple.test | test.py:76 | SOURCE |  | --> | simple.test | test.py:77 | t |  |
+| simple.test | test.py:77 | hub() |  | --> | simple.test | test.py:78 | t |  |
+| simple.test | test.py:77 | t |  | --> | simple.test | test.py:72 | arg | p0 = simple.test |
+| simple.test | test.py:77 | t |  | --> | simple.test | test.py:77 | hub() |  |
+| simple.test | test.py:88 | Attribute |  | --> | simple.test | test.py:89 | t |  |
+| simple.test | test.py:100 | Attribute() |  | --> | simple.test | test.py:101 | t |  |
+| simple.test | test.py:110 | Attribute |  | --> | .x = simple.test | test.py:111 | t |  |
+| simple.test | test.py:115 | Attribute |  | --> | .x = simple.test | test.py:116 | t |  |
+| simple.test | test.py:128 | SOURCE |  | --> | simple.test | test.py:132 | t |  |
+| simple.test | test.py:138 | SOURCE |  | --> | simple.test | test.py:140 | t |  |
+| simple.test | test.py:148 | SOURCE |  | --> | simple.test | test.py:149 | t |  |
+| simple.test | test.py:155 | ImportMember |  | --> | simple.test | test.py:156 | unsafe |  |
+| simple.test | test.py:159 | SOURCE |  | --> | simple.test | test.py:160 | t |  |
+| simple.test | test.py:163 | SOURCE |  | --> | simple.test | test.py:164 | s |  |
+| simple.test | test.py:168 | SOURCE |  | --> | sequence of simple.test | test.py:168 | List |  |
+| simple.test | test.py:169 | SOURCE |  | --> | dict of simple.test | test.py:169 | Dict |  |
+| simple.test | test.py:178 | SOURCE |  | --> | simple.test | test.py:179 | t |  |
+| simple.test | test.py:178 | SOURCE |  | --> | simple.test | test.py:180 | t |  |
+| simple.test | test.py:178 | SOURCE |  | --> | simple.test | test.py:183 | t |  |
+| simple.test | test.py:178 | SOURCE |  | --> | simple.test | test.py:186 | t |  |
+| simple.test | test.py:195 | SOURCE |  | --> | simple.test | test.py:196 | t |  |
+| simple.test | test.py:195 | SOURCE |  | --> | simple.test | test.py:197 | t |  |
+| simple.test | test.py:195 | SOURCE |  | --> | simple.test | test.py:199 | t |  |
+| simple.test | test.py:203 | For |  | --> | simple.test | test.py:204 | i |  |
+| simple.test | test.py:203 | For |  | --> | simple.test | test.py:205 | i |  |
+| simple.test | test.py:208 | SOURCE |  | --> | sequence of simple.test | test.py:208 | List |  |
+| simple.test | test.py:209 | For |  | --> | simple.test | test.py:210 | i |  |
+| simple.test | test.py:210 | i |  | --> | iterable.simple | test.py:213 | flow_in_generator() |  |
+| simple.test | test.py:210 | i |  | --> | sequence of simple.test | test.py:213 | flow_in_generator() |  |
+| simple.test | test.py:213 | For |  | --> | simple.test | test.py:214 | x |  |
--- a/python/ql/test/library-tests/taint/general/TestStep.ql
+++ b/python/ql/test/library-tests/taint/general/TestStep.ql
@@ -4,8 +4,9 @@ import TaintLib


 from TaintedNode n, TaintedNode s
-where s = n.getASuccessor()
-select 
-    n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(), 
-    " --> ",
-    s.getTrackedValue(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()
+where
+    s = n.getASuccessor()
+select
+    n.toString(), n.getLocation().toString(), n.getNode().toString(), n.getContext(),
+    "-->",
+    s.toString(), s.getLocation().toString(), s.getNode().toString(), s.getContext()
--- a/python/ql/test/library-tests/taint/general/TestVar.expected
+++ b/python/ql/test/library-tests/taint/general/TestVar.expected
@@ -1,193 +1,195 @@
-| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier | arg |
-| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test | arg |
-| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint explicit.carrier | self |
-| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint simple.test | self |
-| carrier.py:13 | arg_0 | carrier.py:13 | Attribute 'attr' taint simple.test | arg |
-| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier | arg |
-| carrier.py:17 | c_0 | carrier.py:17 | Attribute 'attr' taint simple.test | ImplicitCarrier() |
-| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
-| carrier.py:22 | c_1 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
-| carrier.py:25 | c_0 | carrier.py:25 | Attribute 'attr' taint simple.test | hub() |
-| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier | hub() |
-| carrier.py:30 | c_1 | carrier.py:29 | Taint explicit.carrier | hub() |
-| carrier.py:33 | c_0 | carrier.py:33 | Attribute 'attr' taint explicit.carrier | ImplicitCarrier() |
-| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier | Attribute |
-| carrier.py:35 | x_1 | carrier.py:34 | Taint explicit.carrier | Attribute |
-| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test | arg |
-| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test | arg |
-| deep.py:6 | arg_1 | deep.py:5 | Taint simple.test | arg |
-| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test | arg |
-| deep.py:9 | arg_1 | deep.py:8 | Taint simple.test | arg |
-| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test | arg |
-| deep.py:12 | arg_1 | deep.py:11 | Taint simple.test | arg |
-| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test | arg |
-| deep.py:15 | arg_1 | deep.py:14 | Taint simple.test | arg |
-| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test | arg |
-| deep.py:18 | arg_1 | deep.py:17 | Taint simple.test | arg |
-| deep.py:20 | x_1 | deep.py:20 | Taint simple.test | f6() |
-| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test | SOURCE |
-| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors | arg |
-| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper | arg |
-| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock | arg |
-| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors | arg |
-| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper | arg |
-| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors | arg |
-| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock | ROCK |
-| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:19 | Taint rock | ROCK |
-| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors | Attribute() |
-| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:20 | Taint scissors | Attribute() |
-| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock | ROCK |
-| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:24 | Taint rock | ROCK |
-| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper | Attribute() |
-| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:25 | Taint paper | Attribute() |
-| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper | Attribute() |
-| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
-| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:30 | Taint paper | Attribute() |
-| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection | arg |
-| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection | arg |
-| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection | arg |
-| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection | arg |
-| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:11 | x_1 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:11 | x_2 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint Command injection | user_input() |
-| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint SQL injection | user_input() |
-| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:18 | x_1 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:18 | x_2 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint Command injection | user_input() |
-| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint SQL injection | user_input() |
-| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint Command injection | user_input() |
-| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint SQL injection | user_input() |
-| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint Command injection | user_input() |
-| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint SQL injection | user_input() |
-| test.py:6 | s_0 | test.py:6 | Taint simple.test | SOURCE |
-| test.py:7 | s_1 | test.py:6 | Taint simple.test | SOURCE |
-| test.py:12 | arg_0 | test.py:12 | Taint simple.test | arg |
-| test.py:13 | arg_1 | test.py:12 | Taint simple.test | arg |
-| test.py:16 | t_0 | test.py:16 | Taint simple.test | source() |
-| test.py:17 | t_1 | test.py:16 | Taint simple.test | source() |
-| test.py:20 | t_0 | test.py:20 | Taint simple.test | SOURCE |
-| test.py:21 | t_1 | test.py:20 | Taint simple.test | SOURCE |
-| test.py:24 | t_0 | test.py:24 | Taint simple.test | source() |
-| test.py:25 | t_1 | test.py:24 | Taint simple.test | source() |
-| test.py:31 | t_2 | test.py:31 | Taint simple.test | SOURCE |
-| test.py:37 | t_0 | test.py:37 | Taint simple.test | SOURCE |
-| test.py:41 | t_1 | test.py:37 | Taint simple.test | SOURCE |
-| test.py:46 | arg_0 | test.py:46 | Taint simple.test | arg |
-| test.py:47 | arg_1 | test.py:46 | Taint simple.test | arg |
-| test.py:49 | arg_0 | test.py:49 | Taint simple.test | arg |
-| test.py:49 | arg_2 | test.py:49 | Taint simple.test | arg |
-| test.py:51 | arg_1 | test.py:49 | Taint simple.test | arg |
-| test.py:54 | t_0 | test.py:54 | Taint simple.test | source2() |
-| test.py:55 | t_1 | test.py:54 | Taint simple.test | source2() |
-| test.py:62 | t_1 | test.py:62 | Taint simple.test | SOURCE |
-| test.py:63 | t_2 | test.py:62 | Taint simple.test | SOURCE |
-| test.py:67 | t_0 | test.py:67 | Taint simple.test | SOURCE |
-| test.py:70 | t_2 | test.py:67 | Taint simple.test | SOURCE |
-| test.py:72 | arg_0 | test.py:72 | Attribute 'x' taint simple.test | arg |
-| test.py:72 | arg_0 | test.py:72 | Taint basic.custom | arg |
-| test.py:72 | arg_0 | test.py:72 | Taint simple.test | arg |
-| test.py:76 | t_0 | test.py:76 | Taint simple.test | SOURCE |
-| test.py:77 | t_1 | test.py:77 | Taint simple.test | hub() |
-| test.py:78 | t_2 | test.py:77 | Taint simple.test | hub() |
-| test.py:85 | module_0 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:87 | module_1 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:88 | t_0 | test.py:88 | Taint simple.test | Attribute |
-| test.py:89 | t_1 | test.py:88 | Taint simple.test | Attribute |
-| test.py:91 | module_2 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:95 | module_3 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:99 | module_4 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:100 | t_0 | test.py:100 | Taint simple.test | Attribute() |
-| test.py:101 | t_1 | test.py:100 | Taint simple.test | Attribute() |
-| test.py:105 | arg_0 | test.py:105 | Attribute 'x' taint simple.test | arg |
-| test.py:108 | module_5 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:110 | t_1 | test.py:110 | Attribute 'x' taint simple.test | t |
-| test.py:113 | module_6 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
-| test.py:115 | t_1 | test.py:115 | Attribute 'x' taint simple.test | t |
-| test.py:116 | t_2 | test.py:116 | Attribute 'x' taint simple.test | hub() |
-| test.py:117 | t_3 | test.py:116 | Attribute 'x' taint simple.test | hub() |
-| test.py:120 | t_0 | test.py:120 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:121 | t_1 | test.py:121 | Taint basic.custom | hub() |
-| test.py:122 | t_2 | test.py:121 | Taint basic.custom | hub() |
-| test.py:126 | t_0 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:128 | t_2 | test.py:128 | Taint simple.test | SOURCE |
-| test.py:130 | t_1 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:132 | t_3 | test.py:128 | Taint simple.test | SOURCE |
-| test.py:136 | t_0 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:138 | t_2 | test.py:138 | Taint simple.test | SOURCE |
-| test.py:140 | t_3 | test.py:138 | Taint simple.test | SOURCE |
-| test.py:142 | t_1 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:146 | t_0 | test.py:146 | Taint basic.custom | CUSTOM_SOURCE |
-| test.py:148 | t_3 | test.py:148 | Taint simple.test | SOURCE |
-| test.py:149 | t_1 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
-| test.py:151 | t_2 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
-| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test | ImportMember |
-| test.py:156 | unsafe_1 | test.py:155 | Taint simple.test | ImportMember |
-| test.py:159 | t_0 | test.py:159 | Taint simple.test | SOURCE |
-| test.py:160 | t_1 | test.py:159 | Taint simple.test | SOURCE |
-| test.py:163 | s_0 | test.py:163 | Taint simple.test | SOURCE |
-| test.py:168 | l_0 | test.py:168 | Taint [simple.test] | List |
-| test.py:169 | d_0 | test.py:169 | Taint {simple.test} | Dict |
-| test.py:170 | l_1 | test.py:168 | Taint [simple.test] | List |
-| test.py:170 | x_1 | test.py:170 | Taint [simple.test] | l |
-| test.py:171 | d_1 | test.py:169 | Taint {simple.test} | Dict |
-| test.py:171 | y_1 | test.py:171 | Taint {simple.test} | d |
-| test.py:174 | l2_0 | test.py:174 | Taint [simple.test] | list() |
-| test.py:174 | l_2 | test.py:168 | Taint [simple.test] | List |
-| test.py:175 | d2_0 | test.py:175 | Taint {simple.test} | dict() |
-| test.py:175 | d_2 | test.py:169 | Taint {simple.test} | Dict |
-| test.py:178 | t_0 | test.py:178 | Taint simple.test | SOURCE |
-| test.py:180 | t_1 | test.py:178 | Taint simple.test | SOURCE |
-| test.py:180 | t_2 | test.py:178 | Taint simple.test | SOURCE |
-| test.py:183 | t_3 | test.py:178 | Taint simple.test | SOURCE |
-| test.py:186 | t_4 | test.py:178 | Taint simple.test | SOURCE |
-| test.py:189 | t_0 | test.py:189 | Taint falsey | FALSEY |
-| test.py:191 | t_1 | test.py:189 | Taint falsey | FALSEY |
-| test.py:194 | t_5 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:195 | t_0 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:197 | t_1 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:197 | t_2 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:199 | t_3 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:199 | t_4 | test.py:195 | Taint simple.test | SOURCE |
-| test.py:202 | t_0 | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
-| test.py:203 | i_1 | test.py:203 | Taint simple.test | For |
-| test.py:203 | i_2 | test.py:203 | Taint simple.test | For |
-| test.py:208 | seq_0 | test.py:208 | Taint [simple.test] | List |
-| test.py:209 | i_1 | test.py:209 | Taint simple.test | For |
-| test.py:209 | i_2 | test.py:209 | Taint simple.test | For |
-| test.py:213 | x_0 | test.py:213 | Taint simple.test | For |
-| test.py:213 | x_1 | test.py:213 | Taint simple.test | For |
-| test.py:214 | x_2 | test.py:213 | Taint simple.test | For |
+| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier |
+| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test |
+| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = explicit.carrier |
+| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = simple.test |
+| carrier.py:10 | self_0 | carrier.py:10 | Taint .attr = simple.test |
+| carrier.py:13 | arg_0 | carrier.py:13 | Taint .attr = simple.test |
+| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier |
+| carrier.py:17 | c_0 | carrier.py:17 | Taint .attr = simple.test |
+| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier |
+| carrier.py:22 | c_1 | carrier.py:22 | Taint explicit.carrier |
+| carrier.py:25 | c_0 | carrier.py:25 | Taint .attr = simple.test |
+| carrier.py:26 | c_1 | carrier.py:26 | Taint .attr = simple.test |
+| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier |
+| carrier.py:30 | c_1 | carrier.py:30 | Taint explicit.carrier |
+| carrier.py:33 | c_0 | carrier.py:33 | Taint .attr = explicit.carrier |
+| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier |
+| carrier.py:35 | x_1 | carrier.py:35 | Taint explicit.carrier |
+| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test |
+| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test |
+| deep.py:6 | arg_1 | deep.py:6 | Taint simple.test |
+| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test |
+| deep.py:9 | arg_1 | deep.py:9 | Taint simple.test |
+| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test |
+| deep.py:12 | arg_1 | deep.py:12 | Taint simple.test |
+| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test |
+| deep.py:15 | arg_1 | deep.py:15 | Taint simple.test |
+| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test |
+| deep.py:18 | arg_1 | deep.py:18 | Taint simple.test |
+| deep.py:20 | x_1 | deep.py:20 | Taint simple.test |
+| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test |
+| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors |
+| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper |
+| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock |
+| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors |
+| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper |
+| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors |
+| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock |
+| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:20 | Taint rock |
+| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors |
+| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:21 | Taint scissors |
+| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock |
+| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:25 | Taint rock |
+| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper |
+| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:26 | Taint paper |
+| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors |
+| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:30 | Taint scissors |
+| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper |
+| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:31 | Taint scissors |
+| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:32 | Taint paper |
+| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection |
+| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection |
+| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection |
+| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection |
+| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint Command injection |
+| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint SQL injection |
+| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection |
+| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection |
+| sanitizer.py:11 | x_1 | sanitizer.py:11 | Taint Command injection |
+| sanitizer.py:11 | x_2 | sanitizer.py:11 | Taint Command injection |
+| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint Command injection |
+| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint SQL injection |
+| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint Command injection |
+| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint SQL injection |
+| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint Command injection |
+| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint SQL injection |
+| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection |
+| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection |
+| sanitizer.py:18 | x_1 | sanitizer.py:18 | Taint SQL injection |
+| sanitizer.py:18 | x_2 | sanitizer.py:18 | Taint SQL injection |
+| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint Command injection |
+| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint SQL injection |
+| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint Command injection |
+| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint SQL injection |
+| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint Command injection |
+| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint SQL injection |
+| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection |
+| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection |
+| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint Command injection |
+| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint SQL injection |
+| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint Command injection |
+| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint SQL injection |
+| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint Command injection |
+| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint SQL injection |
+| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint Command injection |
+| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint SQL injection |
+| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint Command injection |
+| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint SQL injection |
+| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection |
+| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection |
+| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint Command injection |
+| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint SQL injection |
+| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint Command injection |
+| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint SQL injection |
+| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint Command injection |
+| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint SQL injection |
+| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint Command injection |
+| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint SQL injection |
+| test.py:6 | s_0 | test.py:6 | Taint simple.test |
+| test.py:7 | s_1 | test.py:7 | Taint simple.test |
+| test.py:12 | arg_0 | test.py:12 | Taint simple.test |
+| test.py:13 | arg_1 | test.py:13 | Taint simple.test |
+| test.py:16 | t_0 | test.py:16 | Taint simple.test |
+| test.py:17 | t_1 | test.py:17 | Taint simple.test |
+| test.py:20 | t_0 | test.py:20 | Taint simple.test |
+| test.py:21 | t_1 | test.py:21 | Taint simple.test |
+| test.py:24 | t_0 | test.py:24 | Taint simple.test |
+| test.py:25 | t_1 | test.py:25 | Taint simple.test |
+| test.py:31 | t_2 | test.py:31 | Taint simple.test |
+| test.py:37 | t_0 | test.py:37 | Taint simple.test |
+| test.py:41 | t_1 | test.py:41 | Taint simple.test |
+| test.py:46 | arg_0 | test.py:46 | Taint simple.test |
+| test.py:47 | arg_1 | test.py:47 | Taint simple.test |
+| test.py:49 | arg_0 | test.py:49 | Taint simple.test |
+| test.py:49 | arg_2 | test.py:49 | Taint simple.test |
+| test.py:51 | arg_1 | test.py:51 | Taint simple.test |
+| test.py:54 | t_0 | test.py:54 | Taint simple.test |
+| test.py:55 | t_1 | test.py:55 | Taint simple.test |
+| test.py:62 | t_1 | test.py:62 | Taint simple.test |
+| test.py:63 | t_2 | test.py:63 | Taint simple.test |
+| test.py:67 | t_0 | test.py:67 | Taint simple.test |
+| test.py:70 | t_2 | test.py:70 | Taint simple.test |
+| test.py:72 | arg_0 | test.py:72 | Taint .x = simple.test |
+| test.py:72 | arg_0 | test.py:72 | Taint basic.custom |
+| test.py:72 | arg_0 | test.py:72 | Taint simple.test |
+| test.py:76 | t_0 | test.py:76 | Taint simple.test |
+| test.py:77 | t_1 | test.py:77 | Taint simple.test |
+| test.py:78 | t_2 | test.py:78 | Taint simple.test |
+| test.py:85 | module_0 | test.py:85 | Taint .dangerous = simple.test |
+| test.py:87 | module_1 | test.py:87 | Taint .dangerous = simple.test |
+| test.py:88 | t_0 | test.py:88 | Taint simple.test |
+| test.py:89 | t_1 | test.py:89 | Taint simple.test |
+| test.py:91 | module_2 | test.py:91 | Taint .dangerous = simple.test |
+| test.py:95 | module_3 | test.py:95 | Taint .dangerous = simple.test |
+| test.py:99 | module_4 | test.py:99 | Taint .dangerous = simple.test |
+| test.py:100 | t_0 | test.py:100 | Taint simple.test |
+| test.py:101 | t_1 | test.py:101 | Taint simple.test |
+| test.py:105 | arg_0 | test.py:105 | Taint .x = simple.test |
+| test.py:108 | module_5 | test.py:108 | Taint .dangerous = simple.test |
+| test.py:110 | t_1 | test.py:110 | Taint .x = simple.test |
+| test.py:113 | module_6 | test.py:113 | Taint .dangerous = simple.test |
+| test.py:115 | t_1 | test.py:115 | Taint .x = simple.test |
+| test.py:116 | t_2 | test.py:116 | Taint .x = simple.test |
+| test.py:117 | t_3 | test.py:117 | Taint .x = simple.test |
+| test.py:120 | t_0 | test.py:120 | Taint basic.custom |
+| test.py:121 | t_1 | test.py:121 | Taint basic.custom |
+| test.py:122 | t_2 | test.py:122 | Taint basic.custom |
+| test.py:126 | t_0 | test.py:126 | Taint basic.custom |
+| test.py:128 | t_2 | test.py:128 | Taint simple.test |
+| test.py:130 | t_1 | test.py:130 | Taint basic.custom |
+| test.py:132 | t_3 | test.py:132 | Taint simple.test |
+| test.py:136 | t_0 | test.py:136 | Taint basic.custom |
+| test.py:138 | t_2 | test.py:138 | Taint simple.test |
+| test.py:140 | t_3 | test.py:140 | Taint simple.test |
+| test.py:142 | t_1 | test.py:142 | Taint basic.custom |
+| test.py:146 | t_0 | test.py:146 | Taint basic.custom |
+| test.py:148 | t_3 | test.py:148 | Taint simple.test |
+| test.py:149 | t_1 | test.py:149 | Taint basic.custom |
+| test.py:151 | t_2 | test.py:151 | Taint basic.custom |
+| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test |
+| test.py:156 | unsafe_1 | test.py:156 | Taint simple.test |
+| test.py:159 | t_0 | test.py:159 | Taint simple.test |
+| test.py:160 | t_1 | test.py:160 | Taint simple.test |
+| test.py:163 | s_0 | test.py:163 | Taint simple.test |
+| test.py:168 | l_0 | test.py:168 | Taint sequence of simple.test |
+| test.py:169 | d_0 | test.py:169 | Taint dict of simple.test |
+| test.py:170 | l_1 | test.py:170 | Taint sequence of simple.test |
+| test.py:170 | x_1 | test.py:170 | Taint sequence of simple.test |
+| test.py:171 | d_1 | test.py:171 | Taint dict of simple.test |
+| test.py:171 | y_1 | test.py:171 | Taint dict of simple.test |
+| test.py:174 | l2_0 | test.py:174 | Taint sequence of simple.test |
+| test.py:174 | l_2 | test.py:174 | Taint sequence of simple.test |
+| test.py:175 | d2_0 | test.py:175 | Taint dict of simple.test |
+| test.py:175 | d_2 | test.py:175 | Taint dict of simple.test |
+| test.py:178 | t_0 | test.py:178 | Taint simple.test |
+| test.py:180 | t_1 | test.py:180 | Taint simple.test |
+| test.py:180 | t_2 | test.py:180 | Taint simple.test |
+| test.py:183 | t_3 | test.py:183 | Taint simple.test |
+| test.py:186 | t_4 | test.py:186 | Taint simple.test |
+| test.py:189 | t_0 | test.py:189 | Taint falsey |
+| test.py:191 | t_1 | test.py:191 | Taint falsey |
+| test.py:194 | t_5 | test.py:194 | Taint simple.test |
+| test.py:195 | t_0 | test.py:195 | Taint simple.test |
+| test.py:197 | t_1 | test.py:197 | Taint simple.test |
+| test.py:197 | t_2 | test.py:197 | Taint simple.test |
+| test.py:199 | t_3 | test.py:199 | Taint simple.test |
+| test.py:199 | t_4 | test.py:199 | Taint simple.test |
+| test.py:202 | t_0 | test.py:202 | Taint iterable.simple |
+| test.py:203 | i_1 | test.py:203 | Taint simple.test |
+| test.py:203 | i_2 | test.py:203 | Taint simple.test |
+| test.py:208 | seq_0 | test.py:208 | Taint sequence of simple.test |
+| test.py:209 | i_1 | test.py:209 | Taint simple.test |
+| test.py:209 | i_2 | test.py:209 | Taint simple.test |
+| test.py:213 | x_0 | test.py:213 | Taint simple.test |
+| test.py:213 | x_1 | test.py:213 | Taint simple.test |
+| test.py:214 | x_2 | test.py:214 | Taint simple.test |
--- a/python/ql/test/library-tests/taint/general/TestVar.ql
+++ b/python/ql/test/library-tests/taint/general/TestVar.ql
@@ -4,6 +4,6 @@ import TaintLib


 from EssaVariable var, TaintedNode n
-where TaintFlowTest::tainted_var(var, _, n)
+where n.getNode().asVariable() = var
 select 
-    var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), n.getTrackedValue(), n.getNode().getNode().toString()
+    var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), "Taint " + n.toString()
--- a/python/ql/test/library-tests/taint/invalid/NoSink.expected
+++ b/python/ql/test/library-tests/taint/invalid/NoSink.expected
@@ -1 +0,0 @@
-| No sinks defined | This message wouldn't appear if the query were complete $@ | No sinks defined | nor this |
--- a/python/ql/test/library-tests/taint/invalid/NoSink.ql
+++ b/python/ql/test/library-tests/taint/invalid/NoSink.ql
@@ -1,25 +0,0 @@
-
-import python
-
-import semmle.python.security.TaintTracking
-
-/* Sources */
-
-class AnySource extends TaintSource {
-
-    AnySource() {
-        this instanceof ControlFlowNode
-    }
-
-    override predicate isSourceOf(TaintKind kind) { any() }
-
-}
-/* Flow */
-import semmle.python.security.strings.Untrusted
-
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink.toString(), "This message wouldn't appear if the query were complete $@",
-       src.toString(), "nor this"
-
--- a/python/ql/test/library-tests/taint/invalid/NoSource.expected
+++ b/python/ql/test/library-tests/taint/invalid/NoSource.expected
@@ -1 +0,0 @@
-| No sources defined | This message wouldn't appear if the query were complete $@ | No sources defined | nor this |
--- a/python/ql/test/library-tests/taint/invalid/NoSource.ql
+++ b/python/ql/test/library-tests/taint/invalid/NoSource.ql
@@ -1,26 +0,0 @@
-
-import python
-
-import semmle.python.security.TaintTracking
-
-/* Flow */
-import semmle.python.security.strings.Untrusted
-
-/* Sinks */
-
-class AnySink extends TaintSink{
-
-    AnySink() {
-        this instanceof ControlFlowNode
-    }
-
-    override predicate sinks(TaintKind kind) { any() }
-
-}
-
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink.toString(), "This message wouldn't appear if the query were complete $@",
-       src.toString(), "nor this"
-
--- a/python/ql/test/library-tests/taint/invalid/test.py
+++ b/python/ql/test/library-tests/taint/invalid/test.py
--- a/python/ql/test/library-tests/taint/strings/DistinctStringKinds.expected
+++ b/python/ql/test/library-tests/taint/strings/DistinctStringKinds.expected
@@ -1,16 +1,16 @@
-| Taint exception.info | test.py:54 | test.py:54:22:54:26 | taint | test.py:59 |
-| Taint exception.info | test.py:55 | test.py:55:12:55:22 | func() | test.py:59 |
-| Taint exception.info | test.py:55 | test.py:55:17:55:21 | taint | test.py:59 |
+| Taint exception.info | test.py:54 | test.py:54:22:54:26 | taint | p1 = exception.info |
+| Taint exception.info | test.py:55 | test.py:55:12:55:22 | func() | p1 = exception.info |
+| Taint exception.info | test.py:55 | test.py:55:17:55:21 | taint | p1 = exception.info |
 | Taint exception.info | test.py:58 | test.py:58:12:58:33 | TAINTED_EXCEPTION_INFO |  |
 | Taint exception.info | test.py:59 | test.py:59:11:59:41 | cross_over() |  |
 | Taint exception.info | test.py:59 | test.py:59:37:59:40 | info |  |
-| Taint exception.info | test.py:61 | test.py:61:19:61:21 | arg | test.py:55 from test.py:59 |
-| Taint exception.info | test.py:62 | test.py:62:12:62:14 | arg | test.py:55 from test.py:59 |
-| Taint externally controlled string | test.py:54 | test.py:54:22:54:26 | taint | test.py:66 |
-| Taint externally controlled string | test.py:55 | test.py:55:12:55:22 | func() | test.py:66 |
-| Taint externally controlled string | test.py:55 | test.py:55:17:55:21 | taint | test.py:66 |
-| Taint externally controlled string | test.py:61 | test.py:61:19:61:21 | arg | test.py:55 from test.py:66 |
-| Taint externally controlled string | test.py:62 | test.py:62:12:62:14 | arg | test.py:55 from test.py:66 |
+| Taint exception.info | test.py:61 | test.py:61:19:61:21 | arg | p0 = exception.info |
+| Taint exception.info | test.py:62 | test.py:62:12:62:14 | arg | p0 = exception.info |
+| Taint externally controlled string | test.py:54 | test.py:54:22:54:26 | taint | p1 = externally controlled string |
+| Taint externally controlled string | test.py:55 | test.py:55:12:55:22 | func() | p1 = externally controlled string |
+| Taint externally controlled string | test.py:55 | test.py:55:17:55:21 | taint | p1 = externally controlled string |
+| Taint externally controlled string | test.py:61 | test.py:61:19:61:21 | arg | p0 = externally controlled string |
+| Taint externally controlled string | test.py:62 | test.py:62:12:62:14 | arg | p0 = externally controlled string |
 | Taint externally controlled string | test.py:65 | test.py:65:11:65:33 | TAINTED_EXTERNAL_STRING |  |
 | Taint externally controlled string | test.py:66 | test.py:66:11:66:41 | cross_over() |  |
 | Taint externally controlled string | test.py:66 | test.py:66:38:66:40 | ext |  |
--- a/python/ql/test/library-tests/taint/strings/DistinctStringKinds.ql
+++ b/python/ql/test/library-tests/taint/strings/DistinctStringKinds.ql
@@ -32,8 +32,7 @@ class ExternalStringSource extends TaintSource {
    }

 }
-
 from TaintedNode n
 where n.getLocation().getFile().getName().matches("%test.py")
-select n.getTrackedValue(), n.getLocation().toString(), n.getAstNode(), n.getContext()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext()

--- a/python/ql/test/library-tests/taint/strings/Taint.qll
+++ b/python/ql/test/library-tests/taint/strings/Taint.qll
@@ -11,7 +11,7 @@ class SimpleSource extends TaintSource {
        kind instanceof ExternalStringKind
    }

-    string toString() {
+    override string toString() {
        result = "taint source"
    }

@@ -25,7 +25,7 @@ class ListSource extends TaintSource {
        kind instanceof ExternalStringSequenceKind
    }

-    string toString() {
+    override string toString() {
        result = "list taint source"
    }

@@ -39,9 +39,10 @@ class DictSource extends TaintSource {
        kind instanceof ExternalStringDictKind
    }

-    string toString() {
+    override string toString() {
        result = "dict taint source"
    }

 }

+
--- a/python/ql/test/library-tests/taint/strings/TestNode.ql
+++ b/python/ql/test/library-tests/taint/strings/TestNode.ql
@@ -5,5 +5,5 @@ import Taint

 from TaintedNode n
 where n.getLocation().getFile().getName().matches("%test.py")
-select n.getTrackedValue(), n.getLocation().toString(), n.getAstNode(), n.getContext()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getCfgNode().getNode(), n.getContext()

--- a/python/ql/test/library-tests/taint/strings/TestStep.ql
+++ b/python/ql/test/library-tests/taint/strings/TestStep.ql
@@ -8,6 +8,6 @@ where n.getLocation().getFile().getName().matches("%test.py") and
 s.getLocation().getFile().getName().matches("%test.py") and
 s = n.getASuccessor()
 select 
-    n.getTrackedValue(), n.getLocation().toString(), n.getAstNode(), n.getContext(), 
+    "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext(),
    " --> ",
-    s.getTrackedValue(), s.getLocation().toString(), s.getAstNode(), s.getContext()
+    "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getAstNode(), s.getContext()
--- a/python/ql/test/library-tests/web/falcon/Sinks.expected
+++ b/python/ql/test/library-tests/web/falcon/Sinks.expected
@@ -1 +0,0 @@
-| test.py:17 | Attribute() | externally controlled string |
--- a/python/ql/test/library-tests/web/falcon/Taint.expected
+++ b/python/ql/test/library-tests/web/falcon/Taint.expected
@@ -8,7 +8,6 @@
 | test.py:12 | resp | falcon.response |
 | test.py:13 | Dict | {json[externally controlled string]} |
 | test.py:15 | result | json[externally controlled string] |
-| test.py:17 | resp | falcon.response |
 | test.py:17 | result | {json[externally controlled string]} |
 | test.py:19 | req | falcon.request |
 | test.py:19 | resp | falcon.response |
				`@@ -1 +0,0 @@`
				`\| No sinks defined \| This message wouldn't appear if the query were complete $@ \| No sinks defined \| nor this \|`
				`@@ -1 +0,0 @@`
				`\| No sources defined \| This message wouldn't appear if the query were complete $@ \| No sources defined \| nor this \|`
				`@@ -1 +0,0 @@`
				`\| test.py:17 \| Attribute() \| externally controlled string \|`