NEVER MERGE: Ensure we don't use site-packages stuff

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -838,6 +838,7 @@ module API {
         // Subclassing a node
         lbl = Label::subclass() and
         exists(PY::ClassExpr clsExpr, DataFlow::Node superclass | pred.flowsTo(superclass) |
+          exists(clsExpr.getLocation().getFile().getRelativePath()) and
           clsExpr.getABase() = superclass.asExpr() and
           // Potentially a class decorator could do anything, but we assume they are
           // "benign" and let subclasses edges flow through anyway.

python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll

@@ -36,6 +36,7 @@ private import semmle.python.dataflow.new.internal.ImportStar
 class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
+    exists(this.getLocation().getFile().getRelativePath()) and (
     Stages::DataFlow::ref() and
     this instanceof ExprNode and
     not simpleLocalFlowStepForTypetracking(_, this)
@@ -72,6 +73,7 @@ class LocalSourceNode extends Node {
     // We include all scope entry definitions, as these act as the local source within the scope they
     // enter.
     this.asCfgNode() = any(ScopeEntryDefinition def).getDefiningNode()
+    )
   }
 
   /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */