diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
index 0714bebf5ba..b6291bfe6f9 100644
--- a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
@@ -7,10 +7,8 @@ private import semmle.code.java.Maps
 private import semmle.code.java.JDK
 
 private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.getType() instanceof TypeProcessBuilder }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(MethodCall mc | mc.getQualifier() = node1.asExpr() and mc = node2.asExpr() |
+  predicate isSource(DataFlow::Node source) {
+    exists(MethodCall mc | mc = source.asExpr() |
       mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")
     )
   }
@@ -18,8 +16,7 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutCall mpc).getQualifier() }
 }
 
-private module ProcessBuilderEnvironmentFlow =
-  TaintTracking::Global<ProcessBuilderEnvironmentConfig>;
+private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
 
 module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
@@ -28,7 +25,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
     sinkNode(sink, "environment-injection")
     or
     exists(MapPutCall mpc | mpc.getAnArgument() = sink.asExpr() |
-      ProcessBuilderEnvironmentFlow::flow(_, DataFlow::exprNode(mpc.getQualifier()))
+      ProcessBuilderEnvironmentFlow::flowToExpr(mpc.getQualifier())
     )
   }
 }