Merge branch 'fix/thread-resource-arithmetic' of https://github.com/ebickle/codeql into fix/thread-resource-arithmetic

java/ql/lib/change-notes/2023-10-07-MemberRefExpr-getReceiverExpr.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added predicate `MemberRefExpr::getReceiverExpr`

java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md

@@ -0,0 +1,12 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
+* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
+* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
+* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
+* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
+* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
+* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
+* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
+* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.

java/ql/lib/semmle/code/java/Annotation.qll

@@ -46,20 +46,6 @@ class Annotation extends @annotation, Expr {
     result = this.getType().getAnnotationElement(name)
   }
 
-  /**
-   * DEPRECATED: Getting the value of _any_ annotation element is error-prone because
-   * it could lead to selecting the value of the wrong element by accident (for example
-   * when an annotation type is extended in the future). Prefer the predicate `getValue(string)`
-   * and explicitly specify the element name. Use `getValue(_)` if it is really desired to
-   * get the value of any element.
-   *
-   * Gets a value of an annotation element. This includes default values in case
-   * no explicit value is specified. For elements with an array value type this
-   * might have an `ArrayInit` as result. To properly handle array values, prefer
-   * the predicate `getAnArrayValue`.
-   */
-  deprecated Expr getAValue() { filteredAnnotValue(this, _, result) }
-
   /**
    * Gets the value of the annotation element with the specified `name`.
    * This includes default values in case no explicit value is specified.
@@ -157,11 +143,6 @@ class Annotation extends @annotation, Expr {
    */
   Expr getAnArrayValue(string name) { result = this.getArrayValue(name, _) }
 
-  /**
-   * DEPRECATED: Predicate has been renamed to `getAnArrayValue`
-   */
-  deprecated Expr getAValue(string name) { result = this.getAnArrayValue(name) }
-
   /**
    * Gets a value of the annotation element with the specified `name`, which must be declared as an enum
    * type array. This includes default values in case no explicit value is specified.

java/ql/lib/semmle/code/java/Expr.qll

@@ -609,9 +609,6 @@ class LongLiteral extends Literal, @longliteral {
   override string getAPrimaryQlClass() { result = "LongLiteral" }
 }
 
-/** DEPRECATED: Alias for FloatLiteral */
-deprecated class FloatingPointLiteral = FloatLiteral;
-
 /**
  * A float literal. For example, `4.2f`.
  *
@@ -1199,15 +1196,15 @@ class ClassInstanceExpr extends Expr, ConstructorCall, @classinstancexpr {
   }
 
   /**
-   * Gets a type argument provided to the constructor of this class instance creation expression.
+   * Gets a type argument of the type of the created instance.
    *
-   * This is used for instantiations of parameterized classes.
+   * This is used for instantiations of parameterized classes. For example for
+   * `new ArrayList<String>()` the result would be the expression representing `String`.
    */
   Expr getATypeArgument() { result = this.getTypeName().(TypeAccess).getATypeArgument() }
 
   /**
-   * Gets the type argument provided to the constructor of this class instance creation expression
-   * at the specified (zero-based) position.
+   * Gets the type argument of the type of the created instance, at the specified (zero-based) position.
    */
   Expr getTypeArgument(int index) {
     result = this.getTypeName().(TypeAccess).getTypeArgument(index)
@@ -1333,6 +1330,40 @@ class MemberRefExpr extends FunctionalExpr, @memberref {
    */
   override Method asMethod() { result = this.getAnonymousClass().getAMethod() }
 
+  private Expr getResultExpr() {
+    exists(Stmt stmt |
+      stmt = this.asMethod().getBody().(SingletonBlock).getStmt() and
+      (
+        result = stmt.(ReturnStmt).getResult()
+        or
+        // Note: Currently never an ExprStmt, but might change once https://github.com/github/codeql/issues/3605 is fixed
+        result = stmt.(ExprStmt).getExpr()
+      )
+    )
+  }
+
+  /**
+   * Gets the expression whose member this member reference refers to, that is, the left
+   * side of the `::`. For example, for the member reference `this::toString` the receiver
+   * expression is the `this` expression.
+   *
+   * This predicate might not have a result in all cases where the receiver expression is
+   * a type access, for example `MyClass::...`.
+   */
+  Expr getReceiverExpr() {
+    exists(Expr resultExpr | resultExpr = this.getResultExpr() |
+      result = resultExpr.(Call).getQualifier() and
+      // Ignore if the qualifier is a parameter of the method of the synthetic anonymous class
+      // (this is the case for method refs of instance methods which don't capture the instance, e.g. `Object::toString`)
+      // Could try to use TypeAccess as result here from child of MemberRefExpr, but that complexity might not be worth it
+      not this.asMethod().getAParameter().getAnAccess() = result
+      or
+      result = resultExpr.(ClassInstanceExpr).getTypeName()
+      // Don't cover array creation because ArrayCreationExpr currently does not have a predicate
+      // to easily get ArrayTypeAccess which should probably be the result here
+    )
+  }
+
   /**
    * Gets the receiver type whose member this expression refers to. The result might not be
    * the type which actually declares the member. For example, for the member reference `ArrayList::toString`,
@@ -1340,15 +1371,7 @@ class MemberRefExpr extends FunctionalExpr, @memberref {
    * `getReferencedCallable` will have `java.util.AbstractCollection.toString` as result, which `ArrayList` inherits.
    */
   RefType getReceiverType() {
-    exists(Stmt stmt, Expr resultExpr |
-      stmt = this.asMethod().getBody().(SingletonBlock).getStmt() and
-      (
-        resultExpr = stmt.(ReturnStmt).getResult()
-        or
-        // Note: Currently never an ExprStmt, but might change once https://github.com/github/codeql/issues/3605 is fixed
-        resultExpr = stmt.(ExprStmt).getExpr()
-      )
-    |
+    exists(Expr resultExpr | resultExpr = this.getResultExpr() |
       result = resultExpr.(MethodAccess).getReceiverType() or
       result = resultExpr.(ClassInstanceExpr).getConstructedType() or
       result = resultExpr.(ArrayCreationExpr).getType()

java/ql/lib/semmle/code/java/JDKAnnotations.qll

@@ -18,14 +18,6 @@ class OverrideAnnotation extends Annotation {
 class SuppressWarningsAnnotation extends Annotation {
   SuppressWarningsAnnotation() { this.getType().hasQualifiedName("java.lang", "SuppressWarnings") }
 
-  /**
-   * DEPRECATED: This predicate restricts the results to `StringLiteral`; prefer `getASuppressedWarning()`
-   * to get the name of a suppressed warning.
-   *
-   * Gets the `StringLiteral` of a warning suppressed by this annotation.
-   */
-  deprecated StringLiteral getASuppressedWarningLiteral() { result = this.getAnArrayValue("value") }
-
   /** Gets the name of a warning suppressed by this annotation. */
   string getASuppressedWarning() { result = this.getAStringArrayValue("value") }
 }
@@ -34,17 +26,6 @@ class SuppressWarningsAnnotation extends Annotation {
 class TargetAnnotation extends Annotation {
   TargetAnnotation() { this.getType().hasQualifiedName("java.lang.annotation", "Target") }
 
-  /**
-   * DEPRECATED: Getting the field access expression is rarely useful. Use `getATargetElementType()`
-   * to get the name of the target element.
-   *
-   * Gets a target expression within this annotation.
-   *
-   * For example, the field access `ElementType.FIELD` is a target expression in
-   * `@Target({ElementType.FIELD, ElementType.METHOD})`.
-   */
-  deprecated Expr getATargetExpression() { result = this.getAnArrayValue("value") }
-
   /**
    * Gets the name of a target element type.
    *
@@ -58,17 +39,6 @@ class TargetAnnotation extends Annotation {
 class RetentionAnnotation extends Annotation {
   RetentionAnnotation() { this.getType().hasQualifiedName("java.lang.annotation", "Retention") }
 
-  /**
-   * DEPRECATED: Getting the field access expression is rarely useful. Use `getRetentionPolicy()`
-   * to get the name of the retention policy.
-   *
-   * Gets the retention policy expression within this annotation.
-   *
-   * For example, the field access `RetentionPolicy.RUNTIME` is the
-   * retention policy expression in `@Retention(RetentionPolicy.RUNTIME)`.
-   */
-  deprecated Expr getRetentionPolicyExpression() { result = this.getValue("value") }
-
   /**
    * Gets the name of the retention policy of this annotation.
    *

java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll

@@ -96,15 +96,6 @@ private predicate condtionCheckMethodTestingFramework(Method m, int argument, bo
   )
 }
 
-/**
- * DEPRECATED: Use `conditionCheckArgument` instead.
- * Holds if `ma` is an access to a non-overridable method that checks that its
- * first argument is equal to `checkTrue` and throws otherwise.
- */
-deprecated predicate conditionCheck(MethodAccess ma, boolean checkTrue) {
-  conditionCheckArgument(ma, 0, checkTrue)
-}
-
 /**
  * Holds if `ma` is an access to a non-overridable method that checks that its
  * zero-indexed `argument` is equal to `checkTrue` and throws otherwise.

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll

@@ -91,21 +91,6 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
    */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
   }
 }
 
-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
@@ -288,9 +250,7 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrier(Node node, FlowState state) {
     getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
   }
 
   predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -387,29 +387,3 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     )
   }
 }
-
-/**
- * DEPRECATED: Use `BarrierGuard` module instead.
- *
- * A guard that validates some expression.
- *
- * To use this in a configuration, extend the class and provide a
- * characteristic predicate precisely specifying the guard, and override
- * `checks` to specify what is being validated and in which branch.
- *
- * It is important that all extending classes in scope are disjoint.
- */
-deprecated class BarrierGuard extends Guard {
-  /** Holds if this guard validates `e` upon evaluating to `branch`. */
-  abstract predicate checks(Expr e, boolean branch);
-
-  /** Gets a node guarded by this guard. */
-  final Node getAGuardedNode() {
-    exists(SsaVariable v, boolean branch, RValue use |
-      this.checks(v.getAUse(), branch) and
-      use = v.getAUse() and
-      this.controls(use.getBasicBlock(), branch) and
-      result.asExpr() = use
-    )
-  }
-}

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -618,7 +618,7 @@ private MethodAccess callReturningSameType(Expr ref) {
 }
 
 private SrcRefType entrypointType() {
-  exists(RemoteFlowSource s, RefType t |
+  exists(ThreatModelFlowSource s, RefType t |
     s instanceof DataFlow::ExplicitParameterNode and
     t = pragma[only_bind_out](s).getType() and
     not t instanceof TypeObject and
@@ -629,6 +629,10 @@ private SrcRefType entrypointType() {
 }
 
 private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {
-  src = DataFlow::getFieldQualifier(sink.asExpr().(FieldRead)) and
+  exists(FieldRead fa |
+    fa = sink.asExpr() and
+    src = DataFlow::getFieldQualifier(fa) and
+    not fa.getField().isStatic()
+  ) and
   src.getType().(RefType).getSourceDeclaration() = entrypointType()
 }

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -116,33 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
   /**
    * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
    */

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -116,33 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
   /**
    * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
    */

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -116,33 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
   /**
    * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
    */

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -30,7 +30,7 @@ deprecated class IntentRedirectionConfiguration extends TaintTracking::Configura
 
 /** A taint tracking configuration for tainted Intents being used to start Android components. */
 module IntentRedirectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
@@ -57,7 +57,7 @@ private class OriginalIntentSanitizer extends IntentRedirectionSanitizer {
  * flowing directly to sinks that start Android components.
  */
 private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
@@ -93,7 +93,7 @@ private class IntentWithTaintedComponent extends DataFlow::Node {
  * A taint tracking configuration for tainted data flowing to an `Intent`'s component.
  */
 private module TaintedIntentComponentConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     any(IntentSetComponent setComponent).getSink() = sink.asExpr()

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll

@@ -74,7 +74,7 @@ class ExternalApkSource extends DataFlow::Node {
     sourceNode(this, "android-external-storage-dir") or
     this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or
     this.asExpr().(StringLiteral).getValue().matches("file://%") or
-    this instanceof RemoteFlowSource
+    this instanceof ThreatModelFlowSource
   }
 }
 

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -6,7 +6,7 @@ private import semmle.code.java.security.ArithmeticCommon
 
 /** A taint-tracking configuration to reason about overflow from unvalidated user input. */
 module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
@@ -17,7 +17,7 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
 
 /** A taint-tracking configuration to reason about underflow from unvalidated user input. */
 module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -52,7 +52,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
  * A taint-tracking configuration for unvalidated user input that is used to run an external process.
  */
 module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
 

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

@@ -57,7 +57,7 @@ deprecated class ConditionalBypassFlowConfig extends TaintTracking::Configuratio
  * A taint tracking configuration for untrusted data flowing to sensitive conditions.
  */
 module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
 

java/ql/lib/semmle/code/java/security/ExternalAPIs.qll

@@ -106,10 +106,10 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
 }
 
 /**
- * Taint tracking configuration for flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
+ * Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s.
  */
 module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

@@ -8,7 +8,7 @@ private import semmle.code.java.StringFormat
  * A taint-tracking configuration for externally controlled format string vulnerabilities.
  */
 module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(StringFormat formatCall).getFormatArgument()

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -28,7 +28,7 @@ deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration
  * that is used to create Android fragments dynamically.
  */
 module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
 

java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -28,7 +28,7 @@ deprecated class GroovyInjectionConfig extends TaintTracking::Configuration {
  * that is used to evaluate a Groovy expression.
  */
 module GroovyInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
 

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll

@@ -5,10 +5,11 @@ private import semmle.code.java.security.internal.ArraySizing
 private import semmle.code.java.dataflow.FlowSources
 
 /**
- * A taint-tracking configuration to reason about improper validation of user-provided size used for array construction.
+ * A taint-tracking configuration to reason about improper validation of
+ * user-provided size used for array construction.
  */
 module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
@@ -16,7 +17,8 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
 }
 
 /**
- * Taint-tracking flow for improper validation of user-provided size used for array construction.
+ * Taint-tracking flow for improper validation of user-provided size used
+ * for array construction.
  */
 module ImproperValidationOfArrayConstructionFlow =
   TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll

@@ -5,10 +5,11 @@ private import semmle.code.java.security.internal.ArraySizing
 private import semmle.code.java.dataflow.FlowSources
 
 /**
- * A taint-tracking configuration to reason about improper validation of user-provided array index.
+ * A taint-tracking configuration to reason about improper validation
+ * of user-provided array index.
  */
 module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())

java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll

@@ -46,7 +46,7 @@ class SetMessageInterpolatorCall extends MethodAccess {
  * to the argument of a method that builds constraint error messages.
  */
 module BeanValidationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
 }

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll

@@ -23,16 +23,6 @@ abstract class IntentUriPermissionManipulationSink extends DataFlow::Node { }
  */
 abstract class IntentUriPermissionManipulationSanitizer extends DataFlow::Node { }
 
-/**
- * DEPRECATED: Use `IntentUriPermissionManipulationSanitizer` instead.
- *
- * A guard that makes sure that an Intent is safe to be returned to another Activity.
- *
- * Usually, this is done by checking that the Intent's data URI and/or its flags contain
- * expected values.
- */
-abstract deprecated class IntentUriPermissionManipulationGuard extends DataFlow::BarrierGuard { }
-
 /**
  * An additional taint step for flows related to Intent URI permission manipulation
  * vulnerabilities.

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -26,10 +26,6 @@ deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Conf
     barrier instanceof IntentUriPermissionManipulationSanitizer
   }
 
-  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof IntentUriPermissionManipulationGuard
-  }
-
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
@@ -39,7 +35,7 @@ deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Conf
  * A taint tracking configuration for user-provided Intents being returned to third party apps.
  */
 module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }
 

java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll

@@ -63,7 +63,7 @@ deprecated class JexlInjectionConfig extends TaintTracking::Configuration {
  * It supports both JEXL 2 and 3.
  */
 module JexlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -33,7 +33,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
  * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
  */
 module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 

java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll

@@ -8,7 +8,7 @@ import semmle.code.java.security.LdapInjection
  * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
  */
 module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink }
 

java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll

@@ -27,7 +27,7 @@ deprecated class LogInjectionConfiguration extends TaintTracking::Configuration
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
 module LogInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
 

java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll

@@ -32,7 +32,7 @@ deprecated class MvelInjectionFlowConfig extends TaintTracking::Configuration {
  * that is used to construct and evaluate a MVEL expression.
  */
 module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
 

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll

@@ -85,7 +85,7 @@ private predicate smallExpr(Expr e) {
  * numeric cast.
  */
 module NumericCastFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -29,7 +29,7 @@ deprecated class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
  * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
  */
 module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
 

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -29,7 +29,7 @@ deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Con
  * and remains vulnerable to Partial Path Traversal.
  */
 module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node node) {
     any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr()

java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll

@@ -37,7 +37,7 @@ deprecated class RequestForgeryConfiguration extends TaintTracking::Configuratio
  */
 module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
     // Exclude results of remote HTTP requests: fetching something else based on that result
     // is no worse than following a redirect returned by the remote server, and typically
     // we're requesting a resource via https which we trust to only send us to safe URLs.

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -9,7 +9,7 @@ import semmle.code.java.security.ResponseSplitting
  */
 module ResponseSplittingConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
     not source instanceof SafeHeaderSplittingSource
   }
 

java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll

@@ -18,7 +18,7 @@ private class ResultReceiverSendCall extends MethodAccess {
 }
 
 private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node node) {
     node.asExpr() = any(ResultReceiverSendCall c).getReceiver()

java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll

@@ -29,7 +29,7 @@ deprecated class SpelInjectionConfig extends TaintTracking::Configuration {
  * that is used to construct and evaluate a SpEL expression.
  */
 module SpelInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
 

java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll

@@ -37,7 +37,7 @@ deprecated class QueryInjectionFlowConfig extends TaintTracking::Configuration {
  * A taint-tracking configuration for unvalidated user input that is used in SQL queries.
  */
 module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -52,7 +52,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
  * A taint-tracking configuration for tracking flow from remote sources to the creation of a path.
  */
 module TaintedPathConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 

java/ql/lib/semmle/code/java/security/TemplateInjection.qll

@@ -62,7 +62,7 @@ abstract class TemplateInjectionSanitizerWithState extends DataFlow::Node {
   abstract predicate hasState(DataFlow::FlowState state);
 }
 
-private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof RemoteFlowSource
+private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ThreatModelFlowSource
 { }
 
 private class DefaultTemplateInjectionSink extends TemplateInjectionSink {

java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll

@@ -12,7 +12,8 @@ private import semmle.code.java.frameworks.owasp.Esapi
  */
 abstract class TrustBoundaryViolationSource extends DataFlow::Node { }
 
-private class RemoteSource extends TrustBoundaryViolationSource instanceof RemoteFlowSource { }
+private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ThreatModelFlowSource
+{ }
 
 /**
  * A sink for data that crosses a trust boundary.

java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll

@@ -27,7 +27,7 @@ deprecated class FetchUntrustedResourceConfiguration extends TaintTracking::Conf
  * A taint configuration tracking flow from untrusted inputs to a resource fetching call.
  */
 module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
 

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -30,7 +30,7 @@ deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuratio
  * A taint-tracking configuration to find paths from remote sources to content URI resolutions.
  */
 module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
 

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -324,7 +324,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio
 
 /** Tracks flows from remote user input to a deserialization sink. */
 private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
 
@@ -448,7 +448,7 @@ deprecated class UnsafeTypeConfig extends TaintTracking2::Configuration {
  * If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
  */
 module UnsafeTypeConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink }
 

java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll

@@ -8,7 +8,7 @@ private import semmle.code.java.security.UrlRedirect
  * A taint-tracking configuration for reasoning about URL redirections.
  */
 module UrlRedirectConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 }

java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll

@@ -9,7 +9,7 @@ private import semmle.code.java.security.XPath
  * A taint-tracking configuration for reasoning about XPath injection vulnerabilities.
  */
 module XPathInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
 }

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -31,7 +31,7 @@ deprecated class XsltInjectionFlowConfig extends TaintTracking::Configuration {
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
  */
 module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
 

java/ql/lib/semmle/code/java/security/XssQuery.qll

@@ -9,7 +9,7 @@ import semmle.code.java.security.XSS
  * A taint-tracking configuration for cross site scripting vulnerabilities.
  */
 module XssConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
 

java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll

@@ -28,7 +28,7 @@ deprecated class XxeConfig extends TaintTracking::Configuration {
  * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
  */
 module XxeConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
 

java/ql/lib/semmle/code/java/security/performance/ExponentialBackTracking.qll

@@ -1,4 +0,0 @@
-/** DEPRECATED. Import `semmle.code.java.security.regexp.ExponentialBackTracking` instead. */
-
-deprecated import semmle.code.java.security.regexp.ExponentialBackTracking as Dep
-import Dep

java/ql/lib/semmle/code/java/security/performance/PolynomialReDoSQuery.qll

@@ -1,4 +0,0 @@
-/** DEPRECATED. Import `semmle.code.java.security.regexp.PolynomialReDoSQuery` instead. */
-
-deprecated import semmle.code.java.security.regexp.PolynomialReDoSQuery as Dep
-import Dep

java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll

@@ -1,4 +0,0 @@
-/** DEPRECATED. Import `semmle.code.java.security.regexp.NfaUtils` instead. */
-
-deprecated import semmle.code.java.security.regexp.NfaUtils as Dep
-import Dep

java/ql/lib/semmle/code/java/security/performance/SuperlinearBackTracking.qll

@@ -1,4 +0,0 @@
-/** DEPRECATED. Import `semmle.code.java.security.regexp.SuperlinearBackTracking` instead. */
-
-deprecated import semmle.code.java.security.regexp.SuperlinearBackTracking as Dep
-import Dep

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -66,7 +66,7 @@ deprecated predicate hasPolynomialReDoSResult(
 
 /** A configuration for Polynomial ReDoS queries. */
 module PolynomialRedosConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |

java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll

@@ -24,7 +24,7 @@ deprecated class RegexInjectionConfiguration extends TaintTracking::Configuratio
  * A taint-tracking configuration for untrusted user input used to construct regular expressions.
  */
 module RegexInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 

java/ql/src/Telemetry/ExternalApi.qll

@@ -90,9 +90,6 @@ class ExternalApi extends Callable {
   }
 }
 
-/** DEPRECATED: Alias for ExternalApi */
-deprecated class ExternalAPI = ExternalApi;
-
 /**
  * Gets the limit for the number of results produced by a telemetry query.
  */

java/ql/src/change-notes/2023-10-06-threat-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -43,7 +43,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node {
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
 module Log4jInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }
 

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr {
 }
 
 module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess m |

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -48,7 +48,7 @@ class NormalizedPathNode extends DataFlow::Node {
 }
 
 module InjectFilePathConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     sinkNode(sink, "path-injection") and

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql

@@ -14,7 +14,7 @@
 import CommandInjectionRuntimeExec
 import ExecUserFlow::PathGraph
 
-class RemoteSource extends Source instanceof RemoteFlowSource { }
+class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 
 from
   ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.TaintTracking
 import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
 private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
 

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.FlowSources
 import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
 private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
 

java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql

@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
 import BeanShellInjectionFlow::PathGraph
 
 module BeanShellInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
 

java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql

@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
 import JShellInjectionFlow::PathGraph
 
 module JShellInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
 

java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll

@@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking
  * that is used to construct and evaluate an expression.
  */
 module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink }
 

java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql

@@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode {
 }
 
 /**
- * A taint configuration for tracking flow from `RemoteFlowSource` to a Jython method call
+ * A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call
  * `CodeInjectionSink` that executes injected code.
  */
 module CodeInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 }
 
 /**
- * Taint tracking flow from `RemoteFlowSource` to a Jython method call
+ * Taint tracking flow from `ThreatModelFlowSource` to a Jython method call
  * `CodeInjectionSink` that executes injected code.
  */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql

@@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
 }
 
 /**
- * A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument
+ * A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument
  * of a method call that executes injected script.
  */
 module ScriptInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
 }

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll

@@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method {
  */
 module SpringViewManipulationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource or
+    source instanceof ThreatModelFlowSource or
     source instanceof WebRequestSource or
     source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
   }

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql

@@ -19,7 +19,7 @@ import AndroidWebResourceResponse
 import InsecureWebResourceResponseFlow::PathGraph
 
 module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
 

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll

@@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N
  * such as cipher, MAC or signature.
  */
 private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr())
@@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {
  * that compare inputs using a non-constant-time algorithm.
  */
 private module UserInputInComparisonConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(NonConstantTimeEqualsCall call |

java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql

@@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
 module CorsSourceReachesCheckFlow = TaintTracking::Global<CorsSourceReachesCheckConfig>;
 
 private module CorsOriginConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess corsHeader, MethodAccess allowCredentialsHeader |

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

@@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph
 /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 module RequestResponseFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
     any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
   }
 

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

@@ -77,16 +77,16 @@ class JsonpBuilderExpr extends AddExpr {
   Expr getJsonExpr() { result = this.getLeftOperand().(AddExpr).getRightOperand() }
 }
 
-/** A data flow configuration tracing flow from remote sources to jsonp function name. */
-module RemoteFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+/** A data flow configuration tracing flow from threat model sources to jsonp function name. */
+module ThreatModelFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
   }
 }
 
-module RemoteFlow = DataFlow::Global<RemoteFlowConfig>;
+module ThreatModelFlow = DataFlow::Global<ThreatModelFlowConfig>;
 
 /** A data flow configuration tracing flow from json data into the argument `json` of JSONP-like string `someFunctionName + "(" + json + ")"`. */
 module JsonDataFlowConfig implements DataFlow::ConfigSig {
@@ -105,7 +105,7 @@ module JsonpInjectionFlowConfig implements DataFlow::ConfigSig {
     exists(JsonpBuilderExpr jhe |
       jhe = src.asExpr() and
       JsonDataFlow::flowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
-      RemoteFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
+      ThreatModelFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
     )
   }
 

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

@@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph
 
 /** Taint configuration of uncontrolled thread resource consumption. */
 module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
 

java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql

@@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
 }
 
 module UnsafeReflectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
 

java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql

@@ -21,7 +21,7 @@ import UnsafeUrlForwardFlow::PathGraph
 
 module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
     not exists(MethodAccess ma, Method m | ma.getMethod() = m |
       (
         m instanceof HttpServletRequestGetRequestUriMethod or

java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql

@@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode {
   }
 }
 
-/** Taint configuration of uncaught exceptions caused by user provided data from `RemoteFlowSource` */
+/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */
 module UncaughtServletExceptionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
 }

java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql

@@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
 }
 
 module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
 

java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql

@@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph
  * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
  */
 module XQueryInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or

java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql

@@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph
  */
 module NfeLocalDoSConfig implements DataFlow::ConfigSig {
   /** Holds if source is a remote flow source */
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   /** Holds if NFE is thrown but not caught */
   predicate isSink(DataFlow::Node sink) {

java/ql/test/library-tests/MemberRefExpr/MemberRefExpr.expected

@@ -1,14 +1,54 @@
-| Test.java:24:26:24:51 | ...::... | Test$Generic<Number>$Inner<>.Inner<> | Test$Generic$Inner.class:0:0:0:0 | Inner<> |
-| Test.java:38:29:38:42 | ...::... | java.lang.Object.toString | Test.java:1:7:1:10 | Test |
-| Test.java:39:29:39:42 | ...::... | java.lang.Object.hashCode | Test.java:1:7:1:10 | Test |
-| Test.java:40:29:40:39 | ...::... | java.lang.Object.clone | Test.java:1:7:1:10 | Test |
-| Test.java:41:40:41:64 | ...::... | java.lang.Object.toString | Test$Generic.class:0:0:0:0 | Generic<String> |
-| Test.java:43:23:43:36 | ...::... | java.lang.Object.toString | Test.java:1:7:1:10 | Test |
-| Test.java:44:23:44:36 | ...::... | java.lang.Object.hashCode | Test.java:1:7:1:10 | Test |
-| Test.java:45:23:45:33 | ...::... | java.lang.Object.clone | Test.java:1:7:1:10 | Test |
-| Test.java:48:22:48:35 | ...::... | java.lang.Object.toString | Test.java:1:7:1:10 | Test |
-| Test.java:51:13:51:21 | ...::... | Test.Test | Test.java:1:7:1:10 | Test |
-| Test.java:52:13:52:32 | ...::... | Test$Generic<String>.Generic<String> | Test$Generic.class:0:0:0:0 | Generic<String> |
-| Test.java:56:13:56:22 | ...::... |  | file://:0:0:0:0 | int[] |
-| Test.java:57:13:57:26 | ...::... |  | file://:0:0:0:0 | Generic<>[] |
-| Test.java:61:31:61:47 | ...::... | Test.doSomething | Test.java:1:7:1:10 | Test |
+getReferencedCallable
+| Test.java:26:31:26:52 | ...::... | java.lang.Object.toString |
+| Test.java:27:31:27:53 | ...::... | java.lang.Object.toString |
+| Test.java:32:27:32:52 | ...::... | Test$Generic<Number>$Inner<>.Inner<> |
+| Test.java:33:27:33:41 | ...::... | java.lang.Object.toString |
+| Test.java:49:29:49:42 | ...::... | java.lang.Object.toString |
+| Test.java:50:29:50:42 | ...::... | java.lang.Object.hashCode |
+| Test.java:51:29:51:39 | ...::... | java.lang.Object.clone |
+| Test.java:52:40:52:64 | ...::... | java.lang.Object.toString |
+| Test.java:54:23:54:36 | ...::... | java.lang.Object.toString |
+| Test.java:55:23:55:36 | ...::... | java.lang.Object.hashCode |
+| Test.java:56:23:56:33 | ...::... | java.lang.Object.clone |
+| Test.java:57:23:57:59 | ...::... | java.lang.Object.toString |
+| Test.java:57:35:57:48 | ...::... | java.lang.Object.toString |
+| Test.java:60:23:60:36 | ...::... | java.lang.Object.toString |
+| Test.java:62:23:62:40 | ...::... | Test.staticMethod |
+| Test.java:65:13:65:21 | ...::... | Test.Test |
+| Test.java:66:13:66:32 | ...::... | Test$Generic<String>.Generic<String> |
+| Test.java:75:31:75:47 | ...::... | Test.doSomething |
+getReceiverExpr
+| Test.java:26:31:26:52 | ...::... | Test.java:26:31:26:42 | Generic<>.this |
+| Test.java:27:31:27:53 | ...::... | Test.java:27:31:27:43 | Generic<>.super |
+| Test.java:32:27:32:52 | ...::... | Test.java:32:27:32:47 | Generic<Number>.Inner<> |
+| Test.java:33:27:33:41 | ...::... | Test.java:33:27:33:31 | super |
+| Test.java:54:23:54:36 | ...::... | Test.java:54:23:54:26 | this |
+| Test.java:55:23:55:36 | ...::... | Test.java:55:23:55:26 | this |
+| Test.java:56:23:56:33 | ...::... | Test.java:56:23:56:26 | this |
+| Test.java:57:23:57:59 | ...::... | Test.java:57:24:57:48 | (...)... |
+| Test.java:57:35:57:48 | ...::... | Test.java:57:35:57:38 | this |
+| Test.java:60:23:60:36 | ...::... | Test.java:60:23:60:26 | this |
+| Test.java:62:23:62:40 | ...::... | Test.java:62:23:62:26 | Test |
+| Test.java:65:13:65:21 | ...::... | Test.java:65:13:65:16 | Test |
+| Test.java:66:13:66:32 | ...::... | Test.java:66:13:66:27 | Generic<String> |
+getReceiverType
+| Test.java:26:31:26:52 | ...::... | Test.java:19:18:19:24 | Generic |
+| Test.java:27:31:27:53 | ...::... | Test.java:16:18:16:26 | BaseClass |
+| Test.java:32:27:32:52 | ...::... | Test$Generic$Inner.class:0:0:0:0 | Inner<> |
+| Test.java:33:27:33:41 | ...::... | Test.java:16:18:16:26 | BaseClass |
+| Test.java:49:29:49:42 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:50:29:50:42 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:51:29:51:39 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:52:40:52:64 | ...::... | Test$Generic.class:0:0:0:0 | Generic<String> |
+| Test.java:54:23:54:36 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:55:23:55:36 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:56:23:56:33 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:57:23:57:59 | ...::... | Test.java:10:15:10:22 | Supplier |
+| Test.java:57:35:57:48 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:60:23:60:36 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:62:23:62:40 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:65:13:65:21 | ...::... | Test.java:1:7:1:10 | Test |
+| Test.java:66:13:66:32 | ...::... | Test$Generic.class:0:0:0:0 | Generic<String> |
+| Test.java:70:13:70:22 | ...::... | file://:0:0:0:0 | int[] |
+| Test.java:71:13:71:26 | ...::... | file://:0:0:0:0 | Generic<>[] |
+| Test.java:75:31:75:47 | ...::... | Test.java:1:7:1:10 | Test |

java/ql/test/library-tests/MemberRefExpr/MemberRefExpr.ql

@@ -1,10 +1,10 @@
 import java
 
-string getReferencedCallable(MemberRefExpr e) {
-  if exists(e.getReferencedCallable())
-  then result = e.getReferencedCallable().getQualifiedName()
-  else result = ""
+query string getReferencedCallable(MemberRefExpr e) {
+  // Use qualified name because some callables don't have a source location (e.g. `Object.toString`)
+  result = e.getReferencedCallable().getQualifiedName()
 }
 
-from MemberRefExpr e
-select e, getReferencedCallable(e), e.getReceiverType()
+query Expr getReceiverExpr(MemberRefExpr e) { result = e.getReceiverExpr() }
+
+query RefType getReceiverType(MemberRefExpr e) { result = e.getReceiverType() }

java/ql/test/library-tests/MemberRefExpr/Test.java

@@ -13,20 +13,31 @@ class Test {
 
     public Test() { }
 
-    static class Generic<T> {
+    static class BaseClass {
+    }
+
+    static class Generic<T> extends BaseClass {
         public Generic() { }
 
         class Inner {
             public Inner() { }
+
+            void test() {
+                Supplier s0 = Generic.this::toString;
+                Supplier s1 = Generic.super::toString;
+            }
         }
 
         void test() {
-            Supplier s = Generic<Number>.Inner::new;
+            Supplier s0 = Generic<Number>.Inner::new;
+            Supplier s1 = super::toString;
         }
     }
 
     void doSomething() { }
 
+    static void staticMethod() { }
+
     static class Sub extends Test {
     }
 
@@ -43,9 +54,12 @@ class Test {
         Supplier s0 = this::toString;
         Supplier s1 = this::hashCode;
         Supplier s2 = this::clone;
+        Supplier s3 = ((Supplier) this::toString)::toString;
 
         // Discards result of method call
-        Runnable r = this::toString;
+        Runnable r0 = this::toString;
+
+        Runnable r1 = Test::staticMethod;
 
         Supplier[] classInstances = {
             Test::new,

java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql

@@ -9,7 +9,7 @@ class TestRemoteFlowSource extends RemoteFlowSource {
 }
 
 module TaintFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node n) {
     exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql

@@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     DefaultFlowConfig::isSource(node)
     or
-    node instanceof RemoteFlowSource
+    node instanceof ThreatModelFlowSource
   }
 
   predicate isSink = DefaultFlowConfig::isSink/1;

java/ql/test/library-tests/frameworks/android/content-provider/test.ql

@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineFlowTest
 
 module ProviderTaintFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) }
 

java/ql/test/library-tests/frameworks/android/external-storage/test.ql

@@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineFlowTest
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr().(Argument).getCall().getCallee().hasName("sink")

java/ql/test/library-tests/frameworks/android/slice/test.ql

@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 
 module SliceValueFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    DefaultFlowConfig::isSource(source) or source instanceof RemoteFlowSource
+    DefaultFlowConfig::isSource(source) or source instanceof ThreatModelFlowSource
   }
 
   predicate isSink = DefaultFlowConfig::isSink/1;

java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql

@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineFlowTest
 
 module SourceValueFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
 

java/ql/test/library-tests/frameworks/apache-http/flow.ql

@@ -9,7 +9,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
     or
-    n instanceof RemoteFlowSource
+    n instanceof ThreatModelFlowSource
   }
 
   predicate isSink(DataFlow::Node n) {

java/ql/test/library-tests/frameworks/guice/flow.ql

@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma |

java/ql/test/library-tests/frameworks/jms/FlowTest.ql

@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineExpectationsTest
 
 module TestConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess call |

java/ql/test/library-tests/frameworks/netty/manual/test.ql

@@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     DefaultFlowConfig::isSource(node)
     or
-    node instanceof RemoteFlowSource
+    node instanceof ThreatModelFlowSource
   }
 
   predicate isSink = DefaultFlowConfig::isSink/1;