Replace deprecated jcenter() with Maven Central mirror URL for dependency resolution in Gradle build scripts

java/ql/integration-tests/java/android-8-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -32,13 +34,15 @@ buildscript {
  * dependencies used by all modules in your project, such as third-party plugins
  * or libraries. However, you should configure module-specific dependencies in
  * each module-level build.gradle file. For new projects, Android Studio
- * includes JCenter and Google's Maven repository by default, but it does not
+ * includes Maven Central and Google's Maven repository by default, but it does not
  * configure any dependencies (unless you select a template that requires some).
  */
 
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/buildless-gradle-boms/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected

@@ -1,5 +1,5 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar

java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected

@@ -1,2 +1,2 @@
-https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts

@@ -12,8 +12,9 @@ plugins {
 }
 
 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+    }
 }
 
 dependencies {

java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/spring-boot-sample/build.gradle

@@ -11,7 +11,9 @@ version = '0.0.1-SNAPSHOT'
 // but I omit it to test we recognise the Spring Boot plugin version.
 
 repositories {
-	mavenCentral()
+	maven {
+		url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+	}
 }
 
 dependencies {

python/ql/consistency-queries/CfgConsistency.ql

@@ -1,2 +0,0 @@
-import semmle.python.controlflow.internal.AstNodeImpl
-import ControlFlow::Consistency

python/ql/consistency-queries/DataFlowConsistency.ql

@@ -9,7 +9,6 @@ private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.internal.DataFlowDispatch
 private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 private module Input implements InputSig<Location, PythonDataFlow> {
   private import Private
@@ -75,7 +74,7 @@ private module Input implements InputSig<Location, PythonDataFlow> {
     // resolve to multiple functions), but we only make _one_ ArgumentNode for each
     // argument in the CallNode, we end up violating this consistency check in those
     // cases. (see `getCallArg` in DataFlowDispatch.qll)
-    exists(DataFlowCall other, Cfg::CallNode cfgCall | other != call |
+    exists(DataFlowCall other, CallNode cfgCall | other != call |
       call.getNode() = cfgCall and
       other.getNode() = cfgCall and
       isArgumentNode(arg, call, _) and
@@ -91,16 +90,16 @@ private module Input implements InputSig<Location, PythonDataFlow> {
       // allow it instead.
       (
         call.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = call.getNode().(Cfg::CallNode).getFunction())
-            .getALocalSource() = attr
+        any(CfgNode n | n.asCfgNode() = call.getNode().(CallNode).getFunction()).getALocalSource() =
+          attr
         or
         not exists(call.getScope().(Function).getDefinition()) and
         call.getScope().getScope+() = attr.getScope()
       ) and
       (
         other.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = other.getNode().(Cfg::CallNode).getFunction())
-            .getALocalSource() = attr
+        any(CfgNode n | n.asCfgNode() = other.getNode().(CallNode).getFunction()).getALocalSource() =
+          attr
         or
         not exists(other.getScope().(Function).getDefinition()) and
         other.getScope().getScope+() = attr.getScope()

python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.

python/ql/lib/change-notes/2026-05-19-add-shared-ssa.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A new SSA adapter has been added under `semmle.python.dataflow.new.internal.SsaImpl`, built on the shared `codeql.ssa.Ssa` library and the new shared CFG (`semmle.python.controlflow.internal.Cfg`). It is not yet used by the dataflow library or any production query; the legacy ESSA SSA in `semmle/python/essa/*` remains the default. The new SSA adapter is exposed for tests and for the upcoming dataflow migration.

python/ql/lib/change-notes/2026-06-02-deprecated-flow-nodes-use-new-cfg.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The deprecated `AstNode.getAFlowNode()` and `Function.getAReturnValueFlowNode()` predicates now return nodes from the new shared CFG (`Cfg::ControlFlowNode`) rather than from the legacy CFG (`ControlFlowNode`). Callers that still rely on these deprecated APIs and feed the result into legacy-CFG-aware predicates will no longer type-check; migrate to `n.getNode() = e` (or, for return values, the explicit `Return` pattern shown in the deprecation message) to get nodes from the dataflow library's current CFG.

python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The new (shared-CFG-based) Python control flow graph now visits parameter and return type annotations as CFG nodes for function definitions, matching the legacy CFG. This restores annotation-based type tracking through framework models such as FastAPI's `Depends()`, Pydantic request models, Starlette `WebSocket` handlers, and any other models that flow a class reference through `Parameter.getAnnotation()` to identify instances of the annotated class.

python/ql/lib/printCfgNew.ql

@@ -1,45 +0,0 @@
-/**
- * @name Print CFG (New)
- * @description Produces a representation of a file's Control Flow Graph
- *              using the new shared control flow library.
- *              This query is used by the VS Code extension.
- * @id python/print-cfg
- * @kind graph
- * @tags ide-contextual-queries/print-cfg
- */
-
-private import python as Py
-import semmle.python.controlflow.internal.AstNodeImpl
-
-external string selectedSourceFile();
-
-private predicate selectedSourceFileAlias = selectedSourceFile/0;
-
-external int selectedSourceLine();
-
-private predicate selectedSourceLineAlias = selectedSourceLine/0;
-
-external int selectedSourceColumn();
-
-private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
-
-module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Py::File> {
-  predicate selectedSourceFile = selectedSourceFileAlias/0;
-
-  predicate selectedSourceLine = selectedSourceLineAlias/0;
-
-  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
-
-  predicate cfgScopeSpan(
-    Ast::Callable callable, Py::File file, int startLine, int startColumn, int endLine,
-    int endColumn
-  ) {
-    exists(Py::Scope scope |
-      scope = callable.asScope() and
-      file = scope.getLocation().getFile() and
-      scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
-    )
-  }
-}
-
-import ControlFlow::ViewCfgQuery<Py::File, ViewCfgQueryInput>

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -6,9 +6,8 @@
  * directed and labeled; they specify how the components represented by nodes relate to each other.
  */
 
-// Importing python under the `PY` namespace to avoid pulling in `CallNode` from `Flow.qll` (via `import python`) and thereby having a naming conflict with `API::CallNode`.
+// Importing python under the `py` namespace to avoid importing `CallNode` from `Flow.qll` and thereby having a naming conflict with `API::CallNode`.
 private import python as PY
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.internal.CachedStages
 
@@ -283,7 +282,7 @@ module API {
       index = this.getIndex() and
       (
         // subscripting
-        exists(Cfg::SubscriptNode subscript |
+        exists(PY::SubscriptNode subscript |
           subscript.getObject() = this.getAValueReachableFromSource().asCfgNode() and
           subscript.getIndex() = index.asSink().asCfgNode()
         |
@@ -291,7 +290,7 @@ module API {
           subscript = result.asSource().asCfgNode()
           or
           // writing
-          subscript.(Cfg::DefinitionNode).getValue() = result.asSink().asCfgNode()
+          subscript.(PY::DefinitionNode).getValue() = result.asSink().asCfgNode()
         )
         or
         // dictionary literals
@@ -685,7 +684,7 @@ module API {
      * Ignores relative imports, such as `from ..foo.bar import baz`.
      */
     private predicate imports(DataFlow::CfgNode imp, string name) {
-      exists(Cfg::ImportExprNode iexpr |
+      exists(PY::ImportExprNode iexpr |
         imp.getNode() = iexpr and
         not iexpr.getNode().isRelative() and
         name = iexpr.getNode().getImportedModuleName()
@@ -776,7 +775,7 @@ module API {
         // list literals, from `x` to `[x]`
         // TODO: once convenient, this should be done at a higher level than the AST,
         // at least at the CFG layer, to take splitting into account.
-        // Also consider `Cfg::SequenceNode` for generality.
+        // Also consider `SequenceNode for generality.
         exists(PY::List list | list = pred.(DataFlow::ExprNode).getNode().getNode() |
           rhs.(DataFlow::ExprNode).getNode().getNode() = list.getAnElt() and
           lbl = Label::subscript()
@@ -806,7 +805,7 @@ module API {
         subscript = trackUseNode(src).getSubscript(index)
       |
         // from `x` to a definition of `x[...]`
-        rhs.asCfgNode() = subscript.asCfgNode().(Cfg::DefinitionNode).getValue() and
+        rhs.asCfgNode() = subscript.asCfgNode().(PY::DefinitionNode).getValue() and
         lbl = Label::subscript()
         or
         // from `x` to `"key"` in `x["key"]`

python/ql/lib/semmle/python/AstExtended.qll

@@ -3,7 +3,6 @@ module;
 
 import python
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** A syntactic node (Class, Function, Module, Expr, Stmt or Comprehension) corresponding to a flow node */
 abstract class AstNode extends AstNode_ {
@@ -20,16 +19,17 @@ abstract class AstNode extends AstNode_ {
   /**
    * DEPRECATED: use `ControlFlowNode.getNode()` from the other direction instead;
    * that is, replace `e.getAFlowNode() = n` with `n.getNode() = e`. This API is
-   * being removed to untangle the AST and CFG hierarchies.
+   * being removed to untangle the AST and CFG hierarchies in preparation for
+   * migrating the dataflow library off the legacy CFG.
    *
-   * Gets a flow node corresponding directly to this node, from the new
-   * (shared) CFG. NOTE: For some statements and other purely syntactic
-   * elements, there may not be a `ControlFlowNode`.
+   * Gets a flow node corresponding directly to this node.
+   * NOTE: For some statements and other purely syntactic elements,
+   * there may not be a `ControlFlowNode`.
    */
   cached
-  deprecated Cfg::ControlFlowNode getAFlowNode() {
+  deprecated ControlFlowNode getAFlowNode() {
     Stages::AST::ref() and
-    result.getNode() = this
+    py_flow_bb_node(result, this, _, _)
   }
 
   /** Gets the location for this AST node */

python/ql/lib/semmle/python/Concepts.qll

@@ -5,7 +5,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -215,7 +214,7 @@ module Path {
     SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
   }
 
-  private predicate safeAccessCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
     g.(SafeAccessCheck::Range).checks(node, branch)
   }
 
@@ -224,7 +223,7 @@ module Path {
     /** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
     abstract class Range extends DataFlow::GuardNode {
       /** Holds if this guard validates `node` upon evaluating to `branch`. */
-      abstract predicate checks(Cfg::ControlFlowNode node, boolean branch);
+      abstract predicate checks(ControlFlowNode node, boolean branch);
     }
   }
 }

python/ql/lib/semmle/python/Exprs.qll

@@ -3,7 +3,6 @@ module;
 
 private import python
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** An expression */
 class Expr extends Expr_, AstNode {
@@ -71,7 +70,7 @@ class Attribute extends Attribute_ {
   /* syntax: Expr.name */
   override Expr getASubExpression() { result = this.getObject() }
 
-  deprecated override Cfg::AttrNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override AttrNode getAFlowNode() { result = super.getAFlowNode() }
 
   /** Gets the name of this attribute. That is the `name` in `obj.name` */
   string getName() { result = Attribute_.super.getAttr() }
@@ -100,7 +99,7 @@ class Subscript extends Subscript_ {
 
   Expr getObject() { result = Subscript_.super.getValue() }
 
-  deprecated override Cfg::SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A call expression, such as `func(...)` */
@@ -116,7 +115,7 @@ class Call extends Call_ {
 
   override string toString() { result = this.getFunc().toString() + "()" }
 
-  deprecated override Cfg::CallNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override CallNode getAFlowNode() { result = super.getAFlowNode() }
 
   /** Gets a tuple (*) argument of this call. */
   Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
@@ -204,7 +203,7 @@ class IfExp extends IfExp_ {
     result = this.getTest() or result = this.getBody() or result = this.getOrelse()
   }
 
-  deprecated override Cfg::IfExprNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override IfExprNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -414,7 +413,7 @@ class PlaceHolder extends PlaceHolder_ {
 
   override string toString() { result = "$" + this.getId() }
 
-  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -481,7 +480,7 @@ class Name extends Name_ {
 
   override string toString() { result = this.getId() }
 
-  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }
 
   override predicate isArtificial() {
     /* Artificial variable names in comprehensions all start with "." */
@@ -588,7 +587,7 @@ abstract class NameConstant extends Name, ImmutableLiteral {
 
   override predicate isConstant() { any() }
 
-  deprecated override Cfg::NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
+  deprecated override NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
 
   override predicate isArtificial() { none() }
 }

python/ql/lib/semmle/python/Function.qll

@@ -2,7 +2,6 @@ overlay[local]
 module;
 
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * A function, independent of defaults and binding.
@@ -158,12 +157,12 @@ class Function extends Function_, Scope, AstNode {
    * DEPRECATED: bind a `Return` node explicitly instead, e.g.
    * `exists(Return ret | ret.getScope() = this and n.getNode() = ret.getValue())`.
    * This API is being phased out together with `AstNode.getAFlowNode()` to
-   * untangle the AST and CFG hierarchies.
+   * untangle the AST and CFG hierarchies in preparation for migrating the
+   * dataflow library off the legacy CFG.
    *
-   * Gets a control flow node for a return value of this function, from the
-   * new (shared) CFG.
+   * Gets a control flow node for a return value of this function.
    */
-  deprecated Cfg::ControlFlowNode getAReturnValueFlowNode() {
+  deprecated ControlFlowNode getAReturnValueFlowNode() {
     exists(Return ret |
       ret.getScope() = this and
       ret.getValue() = result.getNode()

python/ql/lib/semmle/python/Import.qll

@@ -4,7 +4,6 @@ module;
 import python
 private import semmle.python.types.Builtins
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * An alias in an import statement, the `mod as name` part of `import mod as name`. May be artificial;
@@ -164,7 +163,7 @@ class ImportMember extends ImportMember_ {
     result = this.getModule().(ImportExpr).getImportedModuleName() + "." + this.getName()
   }
 
-  deprecated override Cfg::ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** An import statement */

python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll

@@ -1,12 +1,11 @@
 /** Provides commonly used BarrierGuards. */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 
-private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
-  exists(Cfg::CompareNode cn | cn = g |
-    exists(ImmutableLiteral const, Cmpop op, Cfg::ControlFlowNode c |
+private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(CompareNode cn | cn = g |
+    exists(ImmutableLiteral const, Cmpop op, ControlFlowNode c |
       c.getNode() = const and
       (
         op = any(Eq eq) and branch = true
@@ -19,7 +18,7 @@ private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node,
       cn.operands(node, op, c)
     )
     or
-    exists(NameConstant const, Cmpop op, Cfg::ControlFlowNode c |
+    exists(NameConstant const, Cmpop op, ControlFlowNode c |
       c.getNode() = const and
       (
         op = any(Is is_) and branch = true
@@ -32,12 +31,12 @@ private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node,
       cn.operands(node, op, c)
     )
     or
-    exists(Cfg::IterableNode const_iterable, Cmpop op |
+    exists(IterableNode const_iterable, Cmpop op |
       op = any(In in_) and branch = true
       or
       op = any(NotIn ni) and branch = false
     |
-      forall(Cfg::ControlFlowNode elem | elem = const_iterable.getAnElement() |
+      forall(ControlFlowNode elem | elem = const_iterable.getAnElement() |
         elem.getNode() instanceof ImmutableLiteral
       ) and
       cn.operands(node, op, const_iterable)

python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 // Need to import `semmle.python.Frameworks` since frameworks can extend `SensitiveDataSource::Range`
 private import semmle.python.Frameworks
@@ -106,7 +105,7 @@ private module SensitiveDataModeling {
       or
       // to cover functions that we don't have the definition for, and where the
       // reference to the function has not already been marked as being sensitive
-      this.getFunction().asCfgNode().(Cfg::NameNode).getId() = sensitiveString(classification)
+      this.getFunction().asCfgNode().(NameNode).getId() = sensitiveString(classification)
     }
 
     override SensitiveDataClassification getClassification() { result = classification }
@@ -252,12 +251,12 @@ private module SensitiveDataModeling {
     SensitiveDataClassification classification;
 
     SensitiveVariableAssignment() {
-      exists(Cfg::DefinitionNode def |
-        def.(Cfg::NameNode).getId() = sensitiveString(classification) and
+      exists(DefinitionNode def |
+        def.(NameNode).getId() = sensitiveString(classification) and
         (
           this.asCfgNode() = def.getValue()
           or
-          this.asCfgNode() = def.getValue().(Cfg::ForNode).getSequence()
+          this.asCfgNode() = def.getValue().(ForNode).getSequence()
         ) and
         not this.asExpr() instanceof FunctionExpr and
         not this.asExpr() instanceof ClassExpr
@@ -294,7 +293,7 @@ private module SensitiveDataModeling {
     SensitiveDataClassification classification;
 
     SensitiveSubscript() {
-      this.asCfgNode().(Cfg::SubscriptNode).getIndex() =
+      this.asCfgNode().(SubscriptNode).getIndex() =
         sensitiveLookupStringConst(classification).asCfgNode()
     }
 

python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll

@@ -3,7 +3,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import DataFlowUtil
 import DataFlowPublic
 private import DataFlowPrivate
@@ -84,9 +83,9 @@ abstract class AttrWrite extends AttrRef {
  * ```python
  * object.attr = value
  * ```
- * Also gives access to the `value` being written, by extending `Cfg::DefinitionNode`.
+ * Also gives access to the `value` being written, by extending `DefinitionNode`.
  */
-private class AttributeAssignmentNode extends Cfg::DefinitionNode, Cfg::AttrNode { }
+private class AttributeAssignmentNode extends DefinitionNode, AttrNode { }
 
 /** A simple attribute assignment: `object.attr = value`. */
 private class AttributeAssignmentAsAttrWrite extends AttrWrite, CfgNode {
@@ -132,13 +131,13 @@ private class GlobalAttributeAssignmentAsAttrWrite extends AttrWrite, CfgNode {
   override string getAttributeName() { result = node.getName() }
 }
 
-/** Represents `Cfg::CallNode`s that may refer to calls to built-in functions or classes. */
-private class BuiltInCallNode extends Cfg::CallNode {
+/** Represents `CallNode`s that may refer to calls to built-in functions or classes. */
+private class BuiltInCallNode extends CallNode {
   string name;
 
   BuiltInCallNode() {
     // TODO disallow instances where the name of the built-in may refer to an in-scope variable of that name.
-    exists(Cfg::NameNode id |
+    exists(NameNode id |
       name = Builtins::getBuiltinName() and
       this.getFunction() = id and
       id.getId() = name and
@@ -146,7 +145,7 @@ private class BuiltInCallNode extends Cfg::CallNode {
     )
   }
 
-  /** Gets the name of the built-in function that is called at this `Cfg::CallNode` */
+  /** Gets the name of the built-in function that is called at this `CallNode` */
   string getBuiltinName() { result = name }
 }
 
@@ -158,20 +157,20 @@ private class BuiltinAttrCallNode extends BuiltInCallNode {
   BuiltinAttrCallNode() { name in ["setattr", "getattr", "hasattr", "delattr"] }
 
   /** Gets the control flow node for object on which the attribute is accessed. */
-  Cfg::ControlFlowNode getObject() { result in [this.getArg(0), this.getArgByName("object")] }
+  ControlFlowNode getObject() { result in [this.getArg(0), this.getArgByName("object")] }
 
   /**
    * Gets the control flow node for the value that is being written to the attribute.
    * Only relevant for `setattr` calls.
    */
-  Cfg::ControlFlowNode getValue() {
+  ControlFlowNode getValue() {
     // only valid for `setattr`
     name = "setattr" and
     result in [this.getArg(2), this.getArgByName("value")]
   }
 
   /** Gets the control flow node that defines the name of the attribute being accessed. */
-  Cfg::ControlFlowNode getName() { result in [this.getArg(1), this.getArgByName("name")] }
+  ControlFlowNode getName() { result in [this.getArg(1), this.getArgByName("name")] }
 }
 
 /** Represents calls to the built-in `setattr`. */
@@ -206,10 +205,10 @@ private class SetAttrCallAsAttrWrite extends AttrWrite, CfgNode {
  *     attr = value
  *     ...
  * ```
- * Instances of this class correspond to the `Cfg::NameNode` for `attr`, and also gives access to `value` by
- * virtue of being a `Cfg::DefinitionNode`.
+ * Instances of this class correspond to the `NameNode` for `attr`, and also gives access to `value` by
+ * virtue of being a `DefinitionNode`.
  */
-private class ClassAttributeAssignmentNode extends Cfg::DefinitionNode, Cfg::NameNode {
+private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode {
   ClassAttributeAssignmentNode() { this.getScope() = any(ClassExpr c).getInnerScope() }
 }
 
@@ -249,7 +248,7 @@ abstract class AttrRead extends AttrRef, Node, LocalSourceNode {
 
 /** A simple attribute read, e.g. `object.attr` */
 private class AttributeReadAsAttrRead extends AttrRead, CfgNode {
-  override Cfg::AttrNode node;
+  override AttrNode node;
 
   AttributeReadAsAttrRead() { node.isLoad() }
 
@@ -286,7 +285,7 @@ private class GetAttrCallAsAttrRead extends AttrRead, CfgNode {
  * is treated as if it is a read of the attribute `module.attr`, even if `module` is not imported directly.
  */
 private class ModuleAttributeImportAsAttrRead extends AttrRead, CfgNode {
-  override Cfg::ImportMemberNode node;
+  override ImportMemberNode node;
 
   override Node getObject() { result.asCfgNode() = node.getModule(_) }
 

python/ql/lib/semmle/python/dataflow/new/internal/Builtins.qll

@@ -3,7 +3,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 
@@ -68,7 +67,7 @@ module Builtins {
   DataFlow::CfgNode likelyBuiltin(string name) {
     exists(Module m |
       result.getNode() =
-        any(Cfg::NameNode n |
+        any(NameNode n |
           possible_builtin_accessed_in_module(n, name, m) and
           not possible_builtin_defined_in_module(name, m)
         )
@@ -88,7 +87,7 @@ module Builtins {
    * Holds if `n` is an access of a global variable called `name` (which is also the name of a
    * built-in) inside the module `m`.
    */
-  private predicate possible_builtin_accessed_in_module(Cfg::NameNode n, string name, Module m) {
+  private predicate possible_builtin_accessed_in_module(NameNode n, string name, Module m) {
     n.isGlobal() and
     n.isLoad() and
     name = n.getId() and

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -25,7 +25,7 @@
  * what callable this call might end up targeting.
  *
  * Specifically this means that we cannot use type-backtrackers from the function of a
- * `Cfg::CallNode`, since there is no `Cfg::CallNode` to backtrack from for `func` in the example
+ * `CallNode`, since there is no `CallNode` to backtrack from for `func` in the example
  * above.
  *
  * Note: This hasn't been 100% realized yet, so we don't currently expose a predicate to
@@ -35,7 +35,6 @@ overlay[local?]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -163,7 +162,7 @@ newtype TArgumentPosition =
    */
   TLambdaSelfArgumentPosition() or
   TPositionalArgumentPosition(int index) {
-    exists(any(Cfg::CallNode c).getArg(index))
+    exists(any(CallNode c).getArg(index))
     or
     // since synthetic calls within a summarized callable could use a unique argument
     // position, we need to ensure we make these available (these are specified as
@@ -175,7 +174,7 @@ newtype TArgumentPosition =
     index = 0
   } or
   TKeywordArgumentPosition(string name) {
-    exists(any(Cfg::CallNode c).getArgByName(name))
+    exists(any(CallNode c).getArgByName(name))
     or
     // see comment for TPositionalArgumentPosition
     FlowSummaryImpl::ParsePositions::isParsedKeywordParameterPosition(_, name)
@@ -298,12 +297,10 @@ predicate hasPropertyDecorator(Function func) {
  */
 overlay[local]
 predicate hasContextmanagerDecorator(Function func) {
-  exists(Cfg::ControlFlowNode contextmanager |
-    contextmanager.(Cfg::NameNode).getId() = "contextmanager" and
-    contextmanager.(Cfg::NameNode).isGlobal()
+  exists(ControlFlowNode contextmanager |
+    contextmanager.(NameNode).getId() = "contextmanager" and contextmanager.(NameNode).isGlobal()
     or
-    contextmanager.(Cfg::AttrNode).getObject("contextmanager").(Cfg::NameNode).getId() =
-      "contextlib"
+    contextmanager.(AttrNode).getObject("contextmanager").(NameNode).getId() = "contextlib"
   |
     func.getADecorator() = contextmanager.getNode()
   )
@@ -319,10 +316,10 @@ predicate hasContextmanagerDecorator(Function func) {
  */
 overlay[local]
 private predicate hasOverloadDecorator(Function func) {
-  exists(Cfg::ControlFlowNode overload |
-    overload.(Cfg::NameNode).getId() = "overload" and overload.(Cfg::NameNode).isGlobal()
+  exists(ControlFlowNode overload |
+    overload.(NameNode).getId() = "overload" and overload.(NameNode).isGlobal()
     or
-    overload.(Cfg::AttrNode).getObject("overload").(Cfg::NameNode).isGlobal()
+    overload.(AttrNode).getObject("overload").(NameNode).isGlobal()
   |
     func.getADecorator() = overload.getNode()
   )
@@ -541,7 +538,7 @@ class LibraryCallableValue extends DataFlowCallable, TLibraryCallable {
 // =============================================================================
 /** Gets a call to `type`. */
 private CallCfgNode getTypeCall() {
-  exists(Cfg::NameNode id | id.getId() = "type" and id.isGlobal() |
+  exists(NameNode id | id.getId() = "type" and id.isGlobal() |
     result.getFunction().asCfgNode() = id
   )
 }
@@ -553,7 +550,7 @@ private CallCfgNode getSuperCall() {
   // link below), but otherwise only 2 edgecases. Overall it seems ok to ignore this complexity.
   //
   // https://github.com/python/cpython/blob/18b1782192f85bd26db89f5bc850f8bee4247c1a/Lib/unittest/mock.py#L48-L50
-  exists(Cfg::NameNode id | id.getId() = "super" and id.isGlobal() |
+  exists(NameNode id | id.getId() = "super" and id.isGlobal() |
     result.getFunction().asCfgNode() = id
   )
 }
@@ -1039,7 +1036,7 @@ private module MethodCalls {
    */
   pragma[nomagic]
   private predicate directCall(
-    Cfg::CallNode call, Function target, string functionName, Class cls, AttrRead attr, Node self
+    CallNode call, Function target, string functionName, Class cls, AttrRead attr, Node self
   ) {
     target = findFunctionAccordingToMroKnownStartingClass(cls, functionName) and
     directCall_join(call, functionName, cls, attr, self)
@@ -1048,7 +1045,7 @@ private module MethodCalls {
   /** Extracted to give good join order */
   pragma[nomagic]
   private predicate directCall_join(
-    Cfg::CallNode call, string functionName, Class cls, AttrRead attr, Node self
+    CallNode call, string functionName, Class cls, AttrRead attr, Node self
   ) {
     call.getFunction() = attrReadTracker(attr).asCfgNode() and
     attr.accesses(self, functionName) and
@@ -1065,7 +1062,7 @@ private module MethodCalls {
    */
   pragma[nomagic]
   private predicate callWithinMethodImplicitSelfOrCls(
-    Cfg::CallNode call, Function target, string functionName, Class classWithMethod, AttrRead attr,
+    CallNode call, Function target, string functionName, Class classWithMethod, AttrRead attr,
     Node self
   ) {
     target = findFunctionAccordingToMro(getADirectSubclass*(classWithMethod), functionName) and
@@ -1075,7 +1072,7 @@ private module MethodCalls {
   /** Extracted to give good join order */
   pragma[nomagic]
   private predicate callWithinMethodImplicitSelfOrCls_join(
-    Cfg::CallNode call, string functionName, Class classWithMethod, AttrRead attr, Node self
+    CallNode call, string functionName, Class classWithMethod, AttrRead attr, Node self
   ) {
     call.getFunction() = attrReadTracker(attr).asCfgNode() and
     attr.accesses(self, functionName) and
@@ -1087,7 +1084,7 @@ private module MethodCalls {
    * resolve the call to a known target (since the only super class might be the
    * builtin `object`, so we never have the implementation of `__new__` in the DB).
    */
-  predicate fromSuperNewCall(Cfg::CallNode call, Class classUsedInSuper, AttrRead attr, Node self) {
+  predicate fromSuperNewCall(CallNode call, Class classUsedInSuper, AttrRead attr, Node self) {
     fromSuper_join(call, "__new__", classUsedInSuper, attr, self) and
     self in [classTracker(_), clsArgumentTracker(_)]
   }
@@ -1109,7 +1106,7 @@ private module MethodCalls {
    */
   pragma[nomagic]
   predicate fromSuper(
-    Cfg::CallNode call, Function target, string functionName, Class classUsedInSuper, AttrRead attr,
+    CallNode call, Function target, string functionName, Class classUsedInSuper, AttrRead attr,
     Node self
   ) {
     target = findFunctionAccordingToMro(getNextClassInMro(classUsedInSuper), functionName) and
@@ -1119,7 +1116,7 @@ private module MethodCalls {
   /** Extracted to give good join order */
   pragma[nomagic]
   private predicate fromSuper_join(
-    Cfg::CallNode call, string functionName, Class classUsedInSuper, AttrRead attr, Node self
+    CallNode call, string functionName, Class classUsedInSuper, AttrRead attr, Node self
   ) {
     call.getFunction() = attrReadTracker(attr).asCfgNode() and
     (
@@ -1138,7 +1135,7 @@ private module MethodCalls {
     )
   }
 
-  predicate resolveMethodCall(Cfg::CallNode call, Function target, CallType type, Node self) {
+  predicate resolveMethodCall(CallNode call, Function target, CallType type, Node self) {
     (
       directCall(call, target, _, _, _, self)
       or
@@ -1185,7 +1182,7 @@ import MethodCalls
  * NOTE: We have this predicate mostly to be able to compare with old point-to
  * call-graph resolution. So it could be removed in the future.
  */
-predicate resolveClassCall(Cfg::CallNode call, Class cls) {
+predicate resolveClassCall(CallNode call, Class cls) {
   call.getFunction() = classTracker(cls).asCfgNode()
   or
   // `cls()` inside a classmethod (which also contains `type(self)()` inside a method)
@@ -1215,7 +1212,7 @@ Function invokedFunctionFromClassConstruction(Class cls, string funcName) {
  *
  * See https://docs.python.org/3/reference/datamodel.html#object.__call__
  */
-predicate resolveClassInstanceCall(Cfg::CallNode call, Function target, Node self) {
+predicate resolveClassInstanceCall(CallNode call, Function target, Node self) {
   exists(Class cls |
     call.getFunction() = classInstanceTracker(cls).asCfgNode() and
     target = findFunctionAccordingToMroKnownStartingClass(cls, "__call__")
@@ -1234,7 +1231,7 @@ predicate resolveClassInstanceCall(Cfg::CallNode call, Function target, Node sel
  * Holds if `call` is a call to the `target`, with call-type `type`.
  */
 cached
-predicate resolveCall(Cfg::CallNode call, Function target, CallType type) {
+predicate resolveCall(CallNode call, Function target, CallType type) {
   Stages::DataFlow::ref() and
   (
     type instanceof CallTypePlainFunction and
@@ -1259,11 +1256,11 @@ predicate resolveCall(Cfg::CallNode call, Function target, CallType type) {
 // =============================================================================
 /**
  * Holds if the argument of `call` at position `apos` is `arg`. This is just a helper
- * predicate that maps ArgumentPositions to the arguments of the underlying `Cfg::CallNode`.
+ * predicate that maps ArgumentPositions to the arguments of the underlying `CallNode`.
  */
 overlay[local]
 cached
-predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
+predicate normalCallArg(CallNode call, Node arg, ArgumentPosition apos) {
   exists(int index |
     apos.isPositional(index) and
     arg.asCfgNode() = call.getArg(index)
@@ -1278,7 +1275,7 @@ predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
   exists(int index |
     apos.isStarArgs(index) and
     arg.asCfgNode() = call.getStarArg() and
-    // since `Cfg::CallNode.getArg` doesn't include `*args`, we need to drop to the AST level
+    // since `CallNode.getArg` doesn't include `*args`, we need to drop to the AST level
     // to get the index. Notice that we only use the AST for getting the index, so we
     // don't need to check for dominance in regards to splitting.
     call.getStarArg().getNode() = call.getNode().getPositionalArg(index).(Starred).getValue()
@@ -1352,9 +1349,7 @@ predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
  * translated into `l.clear()`, and we can still have use-use flow.
  */
 cached
-predicate getCallArg(
-  Cfg::CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos
-) {
+predicate getCallArg(CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos) {
   Stages::DataFlow::ref() and
   resolveCall(call, target, type) and
   (
@@ -1447,12 +1442,10 @@ private predicate sameEnclosingCallable(Node node1, Node node2) {
 // DataFlowCall
 // =============================================================================
 newtype TDataFlowCall =
-  TNormalCall(Cfg::CallNode call, Function target, CallType type) {
-    call.injects(_) and resolveCall(call, target, type)
-  } or
+  TNormalCall(CallNode call, Function target, CallType type) { resolveCall(call, target, type) } or
   /** A call to the generated function inside a comprehension */
   TComprehensionCall(Comp c) or
-  TPotentialLibraryCall(Cfg::CallNode call) { call.injects(_) } or
+  TPotentialLibraryCall(CallNode call) or
   /** A synthesized call inside a summarized callable */
   TSummaryCall(
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -1472,7 +1465,7 @@ abstract class DataFlowCall extends TDataFlowCall {
   abstract ArgumentNode getArgument(ArgumentPosition apos);
 
   /** Get the control flow node representing this call, if any. */
-  abstract Cfg::ControlFlowNode getNode();
+  abstract ControlFlowNode getNode();
 
   /** Gets the enclosing callable of this call. */
   DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }
@@ -1503,28 +1496,28 @@ abstract class ExtractedDataFlowCall extends DataFlowCall {
 }
 
 /**
- * A resolved call in source code with an underlying `Cfg::CallNode`.
+ * A resolved call in source code with an underlying `CallNode`.
  *
  * This is considered normal, compared with special calls such as `obj[0]` calling the
  * `__getitem__` method on the object. However, this also includes calls that go to the
  * `__call__` special method.
  */
 class NormalCall extends ExtractedDataFlowCall, TNormalCall {
-  Cfg::CallNode call;
+  CallNode call;
   Function target;
   CallType type;
 
   NormalCall() { this = TNormalCall(call, target, type) }
 
   override string toString() {
-    // note: if we used toString directly on the Cfg::CallNode we would get
-    //     `Cfg::ControlFlowNode for func()`
-    // but the `Cfg::ControlFlowNode` part is just clutter, so we go directly to the AST node
+    // note: if we used toString directly on the CallNode we would get
+    //     `ControlFlowNode for func()`
+    // but the `ControlFlowNode` part is just clutter, so we go directly to the AST node
     // instead.
     result = call.getNode().toString()
   }
 
-  override Cfg::ControlFlowNode getNode() { result = call }
+  override ControlFlowNode getNode() { result = call }
 
   override Scope getScope() { result = call.getScope() }
 
@@ -1552,7 +1545,7 @@ class ComprehensionCall extends ExtractedDataFlowCall, TComprehensionCall {
 
   override string toString() { result = "comprehension call" }
 
-  override Cfg::ControlFlowNode getNode() { result.getNode() = c }
+  override ControlFlowNode getNode() { result.getNode() = c }
 
   override Scope getScope() { result = c.getScope() }
 
@@ -1575,14 +1568,14 @@ class ComprehensionCall extends ExtractedDataFlowCall, TComprehensionCall {
  * in this class.
  */
 class PotentialLibraryCall extends ExtractedDataFlowCall, TPotentialLibraryCall {
-  Cfg::CallNode call;
+  CallNode call;
 
   PotentialLibraryCall() { this = TPotentialLibraryCall(call) }
 
   override string toString() {
-    // note: if we used toString directly on the Cfg::CallNode we would get
-    //     `Cfg::ControlFlowNode for func()`
-    // but the `Cfg::ControlFlowNode` part is just clutter, so we go directly to the AST node
+    // note: if we used toString directly on the CallNode we would get
+    //     `ControlFlowNode for func()`
+    // but the `ControlFlowNode` part is just clutter, so we go directly to the AST node
     // instead.
     result = call.getNode().toString()
   }
@@ -1599,10 +1592,10 @@ class PotentialLibraryCall extends ExtractedDataFlowCall, TPotentialLibraryCall
     // potential self argument, from `foo.bar()` -- note that this could also just be a
     // module reference, but we really don't have a good way of knowing :|
     apos.isSelf() and
-    result.asCfgNode() = call.getFunction().(Cfg::AttrNode).getObject()
+    result.asCfgNode() = call.getFunction().(AttrNode).getObject()
   }
 
-  override Cfg::ControlFlowNode getNode() { result = call }
+  override ControlFlowNode getNode() { result = call }
 
   override Scope getScope() { result = call.getScope() }
 }
@@ -1634,7 +1627,7 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
 
   override ArgumentNode getArgument(ArgumentPosition apos) { none() }
 
-  override Cfg::ControlFlowNode getNode() { none() }
+  override ControlFlowNode getNode() { none() }
 
   override string toString() { result = "[summary] call to " + receiver + " in " + c }
 
@@ -1776,12 +1769,12 @@ private class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNodeImpl
  * This is used for tracking flow through captured variables.
  */
 class SynthCapturedVariablesArgumentNode extends Node, TSynthCapturedVariablesArgumentNode {
-  Cfg::ControlFlowNode callable;
+  ControlFlowNode callable;
 
   SynthCapturedVariablesArgumentNode() { this = TSynthCapturedVariablesArgumentNode(callable) }
 
-  /** Gets the `Cfg::CallNode` corresponding to this captured variables argument node. */
-  Cfg::CallNode getCallNode() { result.getFunction() = callable }
+  /** Gets the `CallNode` corresponding to this captured variables argument node. */
+  CallNode getCallNode() { result.getFunction() = callable }
 
   /** Gets the `CfgNode` that corresponds to this synthetic node. */
   CfgNode getUnderlyingNode() { result.asCfgNode() = callable }
@@ -1799,7 +1792,7 @@ class CapturedVariablesArgumentNodeAsArgumentNode extends ArgumentNode,
 {
   overlay[global]
   override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    exists(Cfg::CallNode callNode | callNode = this.getCallNode() |
+    exists(CallNode callNode | callNode = this.getCallNode() |
       callNode = call.getNode() and
       exists(Function target | resolveCall(callNode, target, _) |
         target = any(VariableCapture::CapturedVariable v).getACapturingScope()
@@ -1813,7 +1806,7 @@ class CapturedVariablesArgumentNodeAsArgumentNode extends ArgumentNode,
 class SynthCapturedVariablesArgumentPostUpdateNode extends PostUpdateNodeImpl,
   TSynthCapturedVariablesArgumentPostUpdateNode
 {
-  Cfg::ControlFlowNode callable;
+  ControlFlowNode callable;
 
   SynthCapturedVariablesArgumentPostUpdateNode() {
     this = TSynthCapturedVariablesArgumentPostUpdateNode(callable)

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -2,9 +2,8 @@ overlay[local?]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import DataFlowPublic
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
+private import semmle.python.essa.SsaCompute
 private import semmle.python.dataflow.new.internal.ImportResolution
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.python.frameworks.data.ModelsAsData
@@ -44,28 +43,13 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
 // Nodes
 //--------
 overlay[local]
-predicate isExpressionNode(Cfg::ControlFlowNode node) {
-  // Restrict to the `injects` representative so the dataflow layer creates
-  // exactly one `TCfgNode` per AST expression.
-  node.injects(_) and
-  (
-    node.getNode() instanceof Expr
-    or
-    // `Cfg::ForNode` wraps a `For` statement's iter position, but
-    // overrides `.getNode()` to return the `Py::For` statement (for
-    // legacy parity). The underlying AST is still an `Expr` (the iter
-    // expression); we want a dataflow node here so that for-loop
-    // content reads (`for y in l`) have a source expression node to
-    // read content from.
-    node instanceof Cfg::ForNode
-  )
-}
+predicate isExpressionNode(ControlFlowNode node) { node.getNode() instanceof Expr }
 
 // =============================================================================
 // SyntheticPreUpdateNode
 // =============================================================================
 class SyntheticPreUpdateNode extends Node, TSyntheticPreUpdateNode {
-  Cfg::CallNode node;
+  CallNode node;
 
   SyntheticPreUpdateNode() { this = TSyntheticPreUpdateNode(node) }
 
@@ -167,7 +151,7 @@ predicate synthStarArgsElementParameterNodeStoreStep(
  * been passed in a `**kwargs` argument.
  */
 class SynthDictSplatArgumentNode extends Node, TSynthDictSplatArgumentNode {
-  Cfg::CallNode node;
+  CallNode node;
 
   SynthDictSplatArgumentNode() { this = TSynthDictSplatArgumentNode(node) }
 
@@ -181,7 +165,7 @@ class SynthDictSplatArgumentNode extends Node, TSynthDictSplatArgumentNode {
 private predicate synthDictSplatArgumentNodeStoreStep(
   ArgumentNode nodeFrom, DictionaryElementContent c, SynthDictSplatArgumentNode nodeTo
 ) {
-  exists(string name, Cfg::CallNode call, ArgumentPosition keywordPos |
+  exists(string name, CallNode call, ArgumentPosition keywordPos |
     nodeTo = TSynthDictSplatArgumentNode(call) and
     getCallArg(call, _, _, nodeFrom, keywordPos) and
     keywordPos.isKeyword(name) and
@@ -305,7 +289,7 @@ abstract class PostUpdateNodeImpl extends Node {
  * Synthetic post-update nodes for synthetic nodes need to be listed one by one.
  */
 class SyntheticPostUpdateNode extends PostUpdateNodeImpl, TSyntheticPostUpdateNode {
-  Cfg::ControlFlowNode node;
+  ControlFlowNode node;
 
   SyntheticPostUpdateNode() { this = TSyntheticPostUpdateNode(node) }
 
@@ -349,42 +333,16 @@ module LocalFlow {
     //   `x = f(42)`
     //   nodeFrom is `f(42)`
     //   nodeTo is `x`
-    //
-    // We use the CFG-level `DefinitionNode.getValue()` directly rather
-    // than going through SSA, because the new SSA library prunes write
-    // definitions that have no subsequent read in the same scope (e.g.
-    // a module-level `def f():` whose `f` is only read inside other
-    // functions). The CFG-level link is unconditional.
-    //
-    // The Name-target restriction mirrors legacy ESSA's
-    // `SsaDefinitions::assignment_definition`, which required
-    // `defn.(NameNode).defines(v)`. Subscript and attribute writes
-    // (`x[i] = 42`, `obj.attr = 42`) are intentionally excluded — their
-    // value flow is handled by the content-flow / `AttrWrite` machinery,
-    // not by a local-flow step *into* the Subscript/Attribute expression.
-    // Excluding them is essential for keeping augmented-assignment
-    // targets (`x[i] += 42`) classifiable as `LocalSourceNode` on the
-    // read side: the single canonical CFG node is both a load and a
-    // store, and any incoming local-flow step would disqualify it from
-    // being a local source.
-    exists(Cfg::DefinitionNode def |
+    exists(AssignmentDefinition def |
       nodeFrom.(CfgNode).getNode() = def.getValue() and
-      nodeTo.(CfgNode).getNode() = def and
-      def instanceof Cfg::NameNode and
-      // Parameter defaults are evaluated in the enclosing scope, while the
-      // parameter itself lives in the function's scope. The cross-scope
-      // edge is provided by `runtimeJumpStep` instead.
-      not exists(Py::Parameter param | def.getNode() = param.asName())
+      nodeTo.(CfgNode).getNode() = def.getDefiningNode()
     )
     or
     // With definition
     //   `with f(42) as x:`
     //   nodeFrom is `f(42)`
     //   nodeTo is `x`
-    exists(
-      With with, Cfg::ControlFlowNode contextManager, SsaImpl::WithDefinition withDef,
-      Cfg::ControlFlowNode var
-    |
+    exists(With with, ControlFlowNode contextManager, WithDefinition withDef, ControlFlowNode var |
       var = withDef.getDefiningNode()
     |
       nodeFrom.(CfgNode).getNode() = contextManager and
@@ -403,13 +361,13 @@ module LocalFlow {
 
   predicate expressionFlowStep(Node nodeFrom, Node nodeTo) {
     // If expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::IfExprNode).getAnOperand()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
     or
     // Assignment expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::AssignmentExprNode).getValue()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(AssignmentExprNode).getValue()
     or
     // boolean inline expressions such as `x or y` or `x and y`
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::BoolExprNode).getAnOperand()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(BoolExprNode).getAnOperand()
     or
     // Flow inside an unpacking assignment
     iterableUnpackingFlowStep(nodeFrom, nodeTo)
@@ -418,25 +376,12 @@ module LocalFlow {
     matchFlowStep(nodeFrom, nodeTo)
   }
 
-  predicate useToNextUse(Cfg::NameNode nodeFrom, Cfg::NameNode nodeTo) {
-    // The SSA-level adjacent-use predicate works on specific CFG variants
-    // (e.g. boolean-outcome `[true]`/`[false]` or emptiness `[empty]`/`[non-empty]`
-    // splits of the same AST node), but dataflow values are insensitive to
-    // those splits — there is at most one `CfgNode` per AST. Project both
-    // ends through `.getNode()` so all variants contribute their use-use
-    // edges to the canonical pair.
-    exists(Cfg::NameNode fromVariant, Cfg::NameNode toVariant |
-      SsaImpl::AdjacentUses::adjacentUseUse(fromVariant, toVariant) and
-      fromVariant.getNode() = nodeFrom.getNode() and
-      toVariant.getNode() = nodeTo.getNode()
-    )
+  predicate useToNextUse(NameNode nodeFrom, NameNode nodeTo) {
+    AdjacentUses::adjacentUseUse(nodeFrom, nodeTo)
   }
 
-  predicate defToFirstUse(SsaImpl::EssaVariable var, Cfg::NameNode nodeTo) {
-    exists(Cfg::NameNode toVariant |
-      SsaImpl::AdjacentUses::firstUse(var.getDefinition(), toVariant) and
-      toVariant.getNode() = nodeTo.getNode()
-    )
+  predicate defToFirstUse(EssaVariable var, NameNode nodeTo) {
+    AdjacentUses::firstUse(var.getDefinition(), nodeTo)
   }
 
   predicate useUseFlowStep(Node nodeFrom, Node nodeTo) {
@@ -445,13 +390,12 @@ module LocalFlow {
     //   `x = f(y)`
     //   nodeFrom is `y` on first line
     //   nodeTo is `y` on second line
-    exists(SsaImpl::EssaDefinition def, Cfg::NameNode toVariant |
-      nodeFrom.(CfgNode).getNode() = def.(SsaImpl::EssaNodeDefinition).getDefiningNode()
+    exists(EssaDefinition def |
+      nodeFrom.(CfgNode).getNode() = def.(EssaNodeDefinition).getDefiningNode()
       or
       nodeFrom.(ScopeEntryDefinitionNode).getDefinition() = def
     |
-      SsaImpl::AdjacentUses::firstUse(def, toVariant) and
-      toVariant.getNode() = nodeTo.(CfgNode).getNode().getNode()
+      AdjacentUses::firstUse(def, nodeTo.(CfgNode).getNode())
     )
     or
     // Next use after use
@@ -613,9 +557,9 @@ predicate runtimeJumpStep(Node nodeFrom, Node nodeTo) {
   // a parameter with a default value, since the parameter will be in the scope of the
   // function, while the default value itself will be in the scope that _defines_ the
   // function.
-  exists(SsaImpl::ParameterDefinition param |
+  exists(ParameterDefinition param |
     // note: we go to the _control-flow node_ of the parameter, and not the ESSA node of the parameter, since for type-tracking, the ESSA node is not a LocalSourceNode, so we would get in trouble.
-    nodeFrom.asCfgNode().getNode() = param.getParameter().(Parameter).getDefault() and
+    nodeFrom.asCfgNode() = param.getDefault() and
     nodeTo.asCfgNode() = param.getDefiningNode()
   )
   or
@@ -719,7 +663,7 @@ predicate neverSkipInPathGraph(Node n) {
   // ```
   // we would end up saying that the path MUST not skip the x in `y = x`, which is just
   // annoying and doesn't help the path explanation become clearer.
-  n.asCfgNode() = any(SsaImpl::EssaNodeDefinition def).getDefiningNode()
+  n.asCfgNode() = any(EssaNodeDefinition def).getDefiningNode()
 }
 
 /**
@@ -930,7 +874,7 @@ predicate listStoreStep(CfgNode nodeFrom, ListElementContent c, CfgNode nodeTo)
   //   nodeFrom is `42`, cfg node
   //   nodeTo is the list, `[..., 42, ...]`, cfg node
   //   c denotes element of list
-  nodeTo.getNode().(Cfg::ListNode).getAnElement() = nodeFrom.getNode() and
+  nodeTo.getNode().(ListNode).getAnElement() = nodeFrom.getNode() and
   not nodeTo.getNode() instanceof UnpackingAssignmentSequenceTarget and
   // Suppress unused variable warning
   c = c
@@ -943,7 +887,7 @@ predicate setStoreStep(CfgNode nodeFrom, SetElementContent c, CfgNode nodeTo) {
   //   nodeFrom is `42`, cfg node
   //   nodeTo is the set, `{..., 42, ...}`, cfg node
   //   c denotes element of list
-  nodeTo.getNode().(Cfg::SetNode).getAnElement() = nodeFrom.getNode() and
+  nodeTo.getNode().(SetNode).getAnElement() = nodeFrom.getNode() and
   // Suppress unused variable warning
   c = c
 }
@@ -956,7 +900,7 @@ predicate tupleStoreStep(CfgNode nodeFrom, TupleElementContent c, CfgNode nodeTo
   //   nodeTo is the tuple, `(..., 42, ...)`, cfg node
   //   c denotes element of tuple and index of nodeFrom
   exists(int n |
-    nodeTo.getNode().(Cfg::TupleNode).getElement(n) = nodeFrom.getNode() and
+    nodeTo.getNode().(TupleNode).getElement(n) = nodeFrom.getNode() and
     not nodeTo.getNode() instanceof UnpackingAssignmentSequenceTarget and
     c.getIndex() = n
   )
@@ -970,7 +914,7 @@ predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeT
   //   nodeTo is the dict, `{..., "key" = 42, ...}`, cfg node
   //   c denotes element of dictionary and the key `"key"`
   exists(KeyValuePair item |
-    item = nodeTo.asCfgNode().(Cfg::DictNode).getNode().(Dict).getAnItem() and
+    item = nodeTo.asCfgNode().(DictNode).getNode().(Dict).getAnItem() and
     nodeFrom.getNode().getNode() = item.getValue() and
     c.getKey() = item.getKey().(StringLiteral).getS()
   )
@@ -985,9 +929,9 @@ predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeT
 private predicate moreDictStoreSteps(CfgNode nodeFrom, DictionaryElementContent c, Node nodeTo) {
   // NOTE: It's important to add logic to the newtype definition of
   // DictionaryElementContent if you add new cases here.
-  exists(Cfg::SubscriptNode subscript |
+  exists(SubscriptNode subscript |
     nodeTo.(PostUpdateNode).getPreUpdateNode().asCfgNode() = subscript.getObject() and
-    nodeFrom.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+    nodeFrom.asCfgNode() = subscript.(DefinitionNode).getValue() and
     c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText()
   )
   or
@@ -1000,8 +944,8 @@ private predicate moreDictStoreSteps(CfgNode nodeFrom, DictionaryElementContent
 }
 
 predicate dictClearStep(Node node, DictionaryElementContent c) {
-  exists(Cfg::SubscriptNode subscript |
-    subscript instanceof Cfg::DefinitionNode and
+  exists(SubscriptNode subscript |
+    subscript instanceof DefinitionNode and
     node.asCfgNode() = subscript.getObject() and
     c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText()
   )
@@ -1080,7 +1024,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
   //   nodeFrom is `l`, cfg node
   //   nodeTo is `l[3]`, cfg node
   //   c is compatible with 3
-  nodeFrom.getNode() = nodeTo.getNode().(Cfg::SubscriptNode).getObject() and
+  nodeFrom.getNode() = nodeTo.getNode().(SubscriptNode).getObject() and
   (
     c instanceof ListElementContent
     or
@@ -1089,10 +1033,10 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
     c instanceof DictionaryElementAnyContent
     or
     c.(TupleElementContent).getIndex() =
-      nodeTo.getNode().(Cfg::SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue()
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue()
     or
     c.(DictionaryElementContent).getKey() =
-      nodeTo.getNode().(Cfg::SubscriptNode).getIndex().getNode().(StringLiteral).getS()
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(StringLiteral).getS()
   )
 }
 
@@ -1147,7 +1091,7 @@ module Conversions {
 
   predicate formatReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
     // % formatting
-    exists(Cfg::BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
+    exists(BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
       fmt.getOp() instanceof Mod and
       fmt.getRight() = nodeFrom.asCfgNode()
     ) and

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -5,14 +5,11 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import codeql.controlflow.SuccessorType
 private import DataFlowPrivate
 import semmle.python.dataflow.new.TypeTracking
 import Attributes
 import LocalSources
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
+private import semmle.python.essa.SsaCompute
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.frameworks.data.ModelsAsData
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -30,18 +27,16 @@ private import semmle.python.frameworks.data.ModelsAsData
 overlay[local]
 newtype TNode =
   /** A node corresponding to a control flow node. */
-  TCfgNode(Cfg::ControlFlowNode node) {
+  TCfgNode(ControlFlowNode node) {
     isExpressionNode(node)
     or
-    node.injects(_) and node.getNode() instanceof Pattern
+    node.getNode() instanceof Pattern
   } or
   /**
    * A node corresponding to a scope entry definition. That is, the value of a variable
    * as it enters a scope.
    */
-  TScopeEntryDefinitionNode(SsaImpl::ScopeEntryDefinition def) {
-    not def.getScope() instanceof Module
-  } or
+  TScopeEntryDefinitionNode(ScopeEntryDefinition def) { not def.getScope() instanceof Module } or
   /**
    * A synthetic node representing the value of an object before a state change.
    *
@@ -52,15 +47,13 @@ newtype TNode =
   // NOTE: since we can't rely on the call graph, but we want to have synthetic
   // pre-update nodes for class calls, we end up getting synthetic pre-update nodes for
   // ALL calls :|
-  TSyntheticPreUpdateNode(Cfg::CallNode call) { call.injects(_) } or
+  TSyntheticPreUpdateNode(CallNode call) or
   /**
    * A synthetic node representing the value of an object after a state change.
    * See QLDoc for `PostUpdateNode`.
    */
-  TSyntheticPostUpdateNode(Cfg::ControlFlowNode node) {
-    node.injects(_) and
-    (
-    exists(Cfg::CallNode call |
+  TSyntheticPostUpdateNode(ControlFlowNode node) {
+    exists(CallNode call |
       node = call.getArg(_)
       or
       node = call.getArgByName(_)
@@ -69,12 +62,12 @@ newtype TNode =
       node = call.getFunction()
     )
     or
-    node = any(Cfg::AttrNode a).getObject()
+    node = any(AttrNode a).getObject()
     or
-    node = any(Cfg::SubscriptNode s).getObject()
+    node = any(SubscriptNode s).getObject()
     or
     // self parameter when used implicitly in `super()`
-    exists(Class cls, Function func, SsaImpl::ParameterDefinition def |
+    exists(Class cls, Function func, ParameterDefinition def |
       func = cls.getAMethod() and
       not isStaticmethod(func) and
       // this matches what we do in ExtractedParameterNode
@@ -84,7 +77,6 @@ newtype TNode =
     or
     // the iterable argument to the implicit comprehension function
     node.getNode() = any(Comp c).getIterable()
-    )
   } or
   /** A node representing a global (module-level) variable in a specific module. */
   TModuleVariableNode(Module m, GlobalVariable v) { v.getScope() = m } or
@@ -120,9 +112,7 @@ newtype TNode =
     exists(ParameterPosition ppos | ppos.isStarArgs(_) | exists(callable.getParameter(ppos)))
   } or
   /** A synthetic node to capture keyword arguments that are passed to a `**kwargs` parameter. */
-  TSynthDictSplatArgumentNode(Cfg::CallNode call) {
-    call.injects(_) and exists(call.getArgByName(_))
-  } or
+  TSynthDictSplatArgumentNode(CallNode call) { exists(call.getArgByName(_)) } or
   /** A synthetic node to allow flow to keyword parameters from a `**kwargs` argument. */
   TSynthDictSplatParameterNode(DataFlowCallable callable) {
     exists(ParameterPosition ppos | ppos.isKeyword(_) | exists(callable.getParameter(ppos)))
@@ -138,15 +128,15 @@ newtype TNode =
    * A synthetic node representing the values of the variables captured
    * by the callable being called.
    */
-  TSynthCapturedVariablesArgumentNode(Cfg::ControlFlowNode callable) {
-    callable.injects(_) and callable = any(Cfg::CallNode c).getFunction()
+  TSynthCapturedVariablesArgumentNode(ControlFlowNode callable) {
+    callable = any(CallNode c).getFunction()
   } or
   /**
    * A synthetic node representing the values of the variables captured
    * by the callable being called, after the output has been computed.
    */
-  TSynthCapturedVariablesArgumentPostUpdateNode(Cfg::ControlFlowNode callable) {
-    callable.injects(_) and callable = any(Cfg::CallNode c).getFunction()
+  TSynthCapturedVariablesArgumentPostUpdateNode(ControlFlowNode callable) {
+    callable = any(CallNode c).getFunction()
   } or
   /** A synthetic node representing the values of variables captured by a comprehension. */
   TSynthCompCapturedVariablesArgumentNode(Comp comp) {
@@ -204,7 +194,7 @@ class Node extends TNode {
   }
 
   /** Gets the control-flow node corresponding to this node, if any. */
-  Cfg::ControlFlowNode asCfgNode() { none() }
+  ControlFlowNode asCfgNode() { none() }
 
   /** Gets the expression corresponding to this node, if any. */
   Expr asExpr() { none() }
@@ -217,14 +207,14 @@ class Node extends TNode {
 
 /** A data-flow node corresponding to a control-flow node. */
 class CfgNode extends Node, TCfgNode {
-  Cfg::ControlFlowNode node;
+  ControlFlowNode node;
 
   CfgNode() { this = TCfgNode(node) }
 
-  /** Gets the `Cfg::ControlFlowNode` represented by this data-flow node. */
-  Cfg::ControlFlowNode getNode() { result = node }
+  /** Gets the `ControlFlowNode` represented by this data-flow node. */
+  ControlFlowNode getNode() { result = node }
 
-  override Cfg::ControlFlowNode asCfgNode() { result = node }
+  override ControlFlowNode asCfgNode() { result = node }
 
   /** Gets a textual representation of this element. */
   override string toString() { result = node.toString() }
@@ -234,9 +224,9 @@ class CfgNode extends Node, TCfgNode {
   override Location getLocation() { result = node.getLocation() }
 }
 
-/** A data-flow node corresponding to a `Cfg::CallNode` in the control-flow graph. */
+/** A data-flow node corresponding to a `CallNode` in the control-flow graph. */
 class CallCfgNode extends CfgNode, LocalSourceNode {
-  override Cfg::CallNode node;
+  override CallNode node;
 
   /**
    * Gets the data-flow node for the function component of the call corresponding to this data-flow
@@ -317,15 +307,15 @@ ExprNode exprNode(DataFlowExpr e) { result.getNode().getNode() = e }
  * as it enters a scope.
  */
 class ScopeEntryDefinitionNode extends Node, TScopeEntryDefinitionNode {
-  SsaImpl::ScopeEntryDefinition def;
+  ScopeEntryDefinition def;
 
   ScopeEntryDefinitionNode() { this = TScopeEntryDefinitionNode(def) }
 
-  /** Gets the `SsaImpl::ScopeEntryDefinition` associated with this node. */
-  SsaImpl::ScopeEntryDefinition getDefinition() { result = def }
+  /** Gets the `ScopeEntryDefinition` associated with this node. */
+  ScopeEntryDefinition getDefinition() { result = def }
 
   /** Gets the source variable represented by this node. */
-  SsaImpl::SsaSourceVariable getVariable() { result = def.getSourceVariable() }
+  SsaSourceVariable getVariable() { result = def.getSourceVariable() }
 
   override Location getLocation() { result = def.getLocation() }
 
@@ -347,7 +337,7 @@ class ParameterNode extends Node instanceof ParameterNodeImpl {
 /** A parameter node found in the source code (not in a summary). */
 class ExtractedParameterNode extends ParameterNodeImpl, CfgNode {
   //, LocalSourceNode {
-  SsaImpl::ParameterDefinition def;
+  ParameterDefinition def;
 
   ExtractedParameterNode() { node = def.getDefiningNode() }
 
@@ -378,10 +368,10 @@ Node getCallArgApproximation() {
   exists(Class c | result.asExpr() = c.getAMethod().getArg(0))
   or
   // the object part of an attribute expression (which might be a bound method)
-  result.asCfgNode() = any(Cfg::AttrNode a).getObject()
+  result.asCfgNode() = any(AttrNode a).getObject()
   or
   // the function part of any call
-  result.asCfgNode() = any(Cfg::CallNode c).getFunction()
+  result.asCfgNode() = any(CallNode c).getFunction()
 }
 
 /** Gets the extracted argument nodes that do not rely on `getCallArg`. */
@@ -390,7 +380,7 @@ private Node implicitArgumentNode() {
   normalCallArg(_, result, _)
   or
   // and self arguments
-  result.asCfgNode() = any(Cfg::CallNode c).getFunction().(Cfg::AttrNode).getObject()
+  result.asCfgNode() = any(CallNode c).getFunction().(AttrNode).getObject()
   or
   // for comprehensions, we allow the synthetic `iterable` argument
   result.asExpr() = any(Comp c).getIterable()
@@ -499,20 +489,17 @@ class ModuleVariableNode extends Node, TModuleVariableNode {
     not result.getScope() = mod
   }
 
-  /** Gets a CFG node that corresponds to an assignment of this global variable. */
+  /** Gets an `EssaNode` that corresponds to an assignment of this global variable. */
   Node getAWrite() {
-    exists(Cfg::NameNode n |
-      n.defines(var) and
-      result.asCfgNode() = n
-    )
+    any(EssaNodeDefinition def).definedBy(var, result.asCfgNode().(DefinitionNode))
   }
 
   /** Gets the possible values of the variable at the end of import time */
   CfgNode getADefiningWrite() {
-    exists(SsaImpl::EssaVariable def |
-      def = any(SsaImpl::EssaVariable ssa_var).getAnUltimateDefinition() and
-      def.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode() = result.asCfgNode() and
-      def.getSourceVariable().getVariable() = var
+    exists(SsaVariable def |
+      def = any(SsaVariable ssa_var).getAnUltimateDefinition() and
+      def.getDefinition() = result.asCfgNode() and
+      def.getVariable() = var
     )
   }
 
@@ -529,7 +516,7 @@ private ModuleVariableNode import_star_read(Node n) {
 overlay[global]
 pragma[nomagic]
 private predicate resolved_import_star_module(Module m, string name, Node n) {
-  exists(Cfg::NameNode nn | nn = n.asCfgNode() |
+  exists(NameNode nn | nn = n.asCfgNode() |
     ImportStar::importStarResolvesTo(pragma[only_bind_into](nn), m) and
     nn.getId() = name
   )
@@ -587,88 +574,88 @@ class StarPatternElementNode extends Node, TStarPatternElementNode {
 }
 
 /**
- * A node that participates in a conditional split: a CFG node whose
- * evaluation outcome (true/false) is used to choose between two
- * successor basic blocks. In the shared CFG, branching is detected
- * via typed successor edges (boolean successor types) on the unique
- * `injects` node for each AST expression.
+ * Gets a node that controls whether other nodes are evaluated.
  *
- * Users typically obtain a `GuardNode` by casting from a more specific
- * Cfg type: `g.(Cfg::CallNode)` for a call-based check, etc.
+ * In the base case, this is the last node of `conditionBlock`, and `flipped` is `false`.
+ * This definition accounts for (short circuting) `and`- and `or`-expressions, as the structure
+ * of basic blocks will reflect their semantics.
+ *
+ * However, in the program
+ * ```python
+ * if not is_safe(path):
+ *   return
+ * ```
+ * the last node in the `ConditionBlock` is `not is_safe(path)`.
+ *
+ * We would like to consider also `is_safe(path)` a guard node, albeit with `flipped` being `true`.
+ * Thus we recurse through `not`-expressions.
  */
-class GuardNode extends Cfg::ControlFlowNode {
-  GuardNode() {
-    // This node has boolean successor edges (directly or via wrapping).
-    outcomeOfGuard(this, _, _)
-  }
-
-  /** Holds if this guard controls block `b` upon evaluating to `branch`. */
-  predicate controlsBlock(Cfg::BasicBlock b, boolean branch) {
-    exists(CfgImpl::BasicBlock outcomeBB |
-      outcomeOfGuard(this, outcomeBB, branch) and
-      outcomeBB.dominates(b)
+ControlFlowNode guardNode(ConditionBlock conditionBlock, boolean flipped) {
+  // Base case: the last node truly does determine which successor is chosen
+  result = conditionBlock.getLastNode() and
+  flipped = false
+  or
+  // Recursive cases:
+  // if a guard node is a `not`-expression,
+  // the operand is also a guard node, but with inverted polarity.
+  exists(UnaryExprNode notNode |
+    result = notNode.getOperand() and
+    notNode.getNode().getOp() instanceof Not
+  |
+    notNode = guardNode(conditionBlock, flipped.booleanNot())
+  )
+  or
+  // if a guard node is compared to a boolean literal,
+  // the other operand is also a guard node,
+  // but with polarity depending on the literal (and on the comparison).
+  exists(CompareNode cmpNode, Cmpop op, ControlFlowNode b, boolean should_flip |
+    (
+      cmpNode.operands(result, op, b) or
+      cmpNode.operands(b, op, result)
+    ) and
+    not result.getNode() instanceof BooleanLiteral and
+    (
+      // comparing to the boolean
+      (op instanceof Eq or op instanceof Is) and
+      // we should flip if the value compared against, here the value of `b`, is false
+      should_flip = b.getNode().(BooleanLiteral).booleanValue().booleanNot()
+      or
+      // comparing to the negation of the boolean
+      (op instanceof NotEq or op instanceof IsNot) and
+      // again, we should flip if the value compared against, here the value of `not b`, is false.
+      // That is, if the value of `b` is true.
+      should_flip = b.getNode().(BooleanLiteral).booleanValue()
     )
-  }
+  |
+    // we flip `flipped` according to `should_flip` via the formula `flipped xor should_flip`.
+    flipped in [true, false] and
+    cmpNode = guardNode(conditionBlock, flipped.booleanXor(should_flip))
+  )
 }
 
 /**
- * Holds if `outcomeBB` is the basic block entered when `guard` evaluates
- * to `branch`.
+ * A node that controls whether other nodes are evaluated.
  *
- * For a direct guard `if g:`, the outcome BB starts at the after-value
- * node for the matching branch. For wrapped guards like `not g` or
- * `g == True`, we follow those wrappers up the AST to find the
- * outermost expression that actually branches, with an appropriate
- * polarity transform.
+ * The field `flipped` allows us to match `GuardNode`s underneath
+ * `not`-expressions and still choose the appropriate branch.
  */
-private predicate outcomeOfGuard(
-  Cfg::ControlFlowNode guard, CfgImpl::BasicBlock outcomeBB, boolean branch
-) {
-  // Base case: the guard has boolean successor edges.
-  // Only the canonical representative (injects) can act as a guard base.
-  guard.injects(_) and
-  exists(BooleanSuccessor t |
-    t.getValue() = branch and
-    outcomeBB = guard.(CfgImpl::ControlFlowNode).getASuccessor(t).getBasicBlock()
-  )
-  or
-  // Recursive: `not guard` — same outcome split as `guard`, flipped.
-  exists(Cfg::UnaryExprNode notNode, boolean notBranch |
-    notNode.injects(_) and
-    notNode.getOperand().getNode() = guard.getNode() and
-    notNode.getNode().getOp() instanceof Not and
-    outcomeOfGuard(notNode, outcomeBB, notBranch) and
-    branch = notBranch.booleanNot()
-  )
-  or
-  // Recursive: comparisons against a boolean literal.
-  exists(
-    Cfg::CompareNode cmpNode, Cmpop op, Cfg::ControlFlowNode otherOperand,
-    Cfg::ControlFlowNode guardOperand, boolean polarity, boolean cmpBranch
-  |
-    cmpNode.injects(_) and
-    guardOperand.getNode() = guard.getNode() and
-    (
-      cmpNode.operands(guardOperand, op, otherOperand) or
-      cmpNode.operands(otherOperand, op, guardOperand)
-    ) and
-    not guard.getNode() instanceof BooleanLiteral and
-    (
-      (op instanceof Eq or op instanceof Is) and
-      polarity = otherOperand.getNode().(BooleanLiteral).booleanValue()
-      or
-      (op instanceof NotEq or op instanceof IsNot) and
-      polarity = otherOperand.getNode().(BooleanLiteral).booleanValue().booleanNot()
-    ) and
-    outcomeOfGuard(cmpNode, outcomeBB, cmpBranch) and
-    branch = cmpBranch.booleanXor(polarity.booleanNot())
-  )
+class GuardNode extends ControlFlowNode {
+  ConditionBlock conditionBlock;
+  boolean flipped;
+
+  GuardNode() { this = guardNode(conditionBlock, flipped) }
+
+  /** Holds if this guard controls block `b` upon evaluating to `branch`. */
+  predicate controlsBlock(BasicBlock b, boolean branch) {
+    branch in [true, false] and
+    conditionBlock.controls(b, branch.booleanXor(flipped))
+  }
 }
 
 /**
  * Holds if the guard `g` validates `node` upon evaluating to `branch`.
  */
-signature predicate guardChecksSig(GuardNode g, Cfg::ControlFlowNode node, boolean branch);
+signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch);
 
 /**
  * Provides a set of barrier nodes for a guard that validates a node.
@@ -683,9 +670,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     result = ParameterizedBarrierGuard<Unit, extendedGuardChecks/4>::getABarrierNode(_)
   }
 
-  private predicate extendedGuardChecks(
-    GuardNode g, Cfg::ControlFlowNode node, boolean branch, Unit u
-  ) {
+  private predicate extendedGuardChecks(GuardNode g, ControlFlowNode node, boolean branch, Unit u) {
     guardChecks(g, node, branch) and
     u = u
   }
@@ -695,7 +680,7 @@ bindingset[this]
 private signature class ParamSig;
 
 private module WithParam<ParamSig P> {
-  signature predicate guardChecksSig(GuardNode g, Cfg::ControlFlowNode node, boolean branch, P param);
+  signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch, P param);
 }
 
 /**
@@ -708,16 +693,10 @@ module ParameterizedBarrierGuard<ParamSig P, WithParam<P>::guardChecksSig/4 guar
   /** Gets a node that is safely guarded by the given guard check with parameter `param`. */
   overlay[global]
   ExprNode getABarrierNode(P param) {
-    exists(GuardNode g, SsaImpl::EssaDefinition def, Cfg::ControlFlowNode node, boolean branch |
-      SsaImpl::AdjacentUses::useOfDef(def, node) and
+    exists(GuardNode g, EssaDefinition def, ControlFlowNode node, boolean branch |
+      AdjacentUses::useOfDef(def, node) and
       guardChecks(g, node, branch, param) and
-      SsaImpl::AdjacentUses::useOfDef(def, result.asCfgNode()) and
-      // The protected use must be a different SSA position than the test
-      // position itself: `controlsBlock` is reflexive on dominance, and
-      // the test expression is an SSA-use position on the def-use chain.
-      // Without this guard, the test position would be returned as a
-      // barrier and block flow before it can reach genuine branch uses.
-      node != result.asCfgNode() and
+      AdjacentUses::useOfDef(def, result.asCfgNode()) and
       g.controlsBlock(result.asCfgNode().getBasicBlock(), branch)
     )
   }
@@ -733,7 +712,7 @@ module ExternalBarrierGuard {
   private import semmle.python.ApiGraphs
 
   overlay[global]
-  private predicate guardCheck(GuardNode g, Cfg::ControlFlowNode node, boolean branch, string kind) {
+  private predicate guardCheck(GuardNode g, ControlFlowNode node, boolean branch, string kind) {
     exists(API::CallNode call, API::Node parameter |
       parameter = call.getAParameter() and
       parameter = ModelOutput::getABarrierGuardNode(kind, branch)
@@ -769,10 +748,10 @@ newtype TContent =
   TSetElementContent() or
   /** An element of a tuple at a specific index. */
   TTupleElementContent(int index) {
-    exists(any(Cfg::TupleNode tn).getElement(index))
+    exists(any(TupleNode tn).getElement(index))
     or
     // Arguments can overflow and end up in the starred parameter tuple.
-    exists(any(Cfg::CallNode cn).getArg(index))
+    exists(any(CallNode cn).getArg(index))
     or
     // since flow summaries might use tuples, we ensure that we at least have valid
     // TTupleElementContent for the 0..7 (7 was picked to match `small_tuple` in
@@ -789,14 +768,10 @@ newtype TContent =
     or
     // d["key"] = ...
     key =
-      any(Cfg::SubscriptNode sub |
-        sub.isStore()
-      |
-        sub.getIndex().getNode().(StringLiteral).getText()
-      )
+      any(SubscriptNode sub | sub.isStore() | sub.getIndex().getNode().(StringLiteral).getText())
     or
     // d.setdefault("key", ...)
-    exists(Cfg::CallNode call | call.getFunction().(Cfg::AttrNode).getName() = "setdefault" |
+    exists(CallNode call | call.getFunction().(AttrNode).getName() = "setdefault" |
       key = call.getArg(0).getNode().(StringLiteral).getText()
     )
   } or

python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll

@@ -5,18 +5,17 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
 
 /**
- * Holds if the name of `var` refers to a submodule of a package and `init` is
- * the `__init__` module of that package. Locally inlined replacement for the
- * legacy `SsaSource::init_module_submodule_defn` so that this module has no
- * direct dependency on `semmle.python.essa.SsaDefinitions`.
+ * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
+ * `init` whose name matches a submodule of the package.
+ *
+ * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
+ * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
  */
 private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
   init.isPackageInit() and
@@ -82,19 +81,13 @@ module ImportResolution {
    * Holds if there is an ESSA step from `defFrom` to `defTo`, which should be allowed
    * for import resolution.
    */
-  private predicate allowedEssaImportStep(
-    SsaImpl::EssaDefinition defFrom, SsaImpl::EssaDefinition defTo
-  ) {
+  private predicate allowedEssaImportStep(EssaDefinition defFrom, EssaDefinition defTo) {
     // to handle definitions guarded by if-then-else
-    defFrom = defTo.(SsaImpl::PhiFunction).getAnInput()
+    defFrom = defTo.(PhiFunction).getAnInput()
     or
-    // to handle uncertain writes such as `from X import *`, which create an
-    // uncertain SSA definition for every name in the importing scope. The
-    // immediately preceding definition is still potentially the value of the
-    // module export.
-    SsaImpl::Ssa::uncertainWriteDefinitionInput(defTo, defFrom)
-    // Note: legacy ESSA refinement-step (e.g. for `foo.bar = X`) is
-    // not modelled in the new SSA beyond the cases handled above.
+    // refined variable
+    // example: https://github.com/nvbn/thefuck/blob/ceeaeab94b5df5a4fe9d94d61e4f6b0bbea96378/thefuck/utils.py#L25-L45
+    defFrom = defTo.(EssaNodeRefinement).getInput().getDefinition()
   }
 
   /**
@@ -111,32 +104,30 @@ module ImportResolution {
     // Definitions made inside `m` itself
     //
     // for code such as `foo = ...; foo.bar = ...` there will be TWO
-    // SsaImpl::EssaDefinition/SsaImpl::EssaVariable. One for `foo = ...` (SsaImpl::AssignmentDefinition) and one
+    // EssaDefinition/EssaVariable. One for `foo = ...` (AssignmentDefinition) and one
     // for `foo.bar = ...`. The one for `foo.bar = ...` (EssaNodeRefinement). The
     // EssaNodeRefinement is the one that will reach the end of the module (normal
     // exit).
     //
     // However, we cannot just use the EssaNodeRefinement as the `val`, because the
     // normal data-flow depends on use-use flow, and use-use flow targets CFG nodes not
-    // EssaNodes. So we need to go back from the SsaImpl::EssaDefinition/SsaImpl::EssaVariable that
+    // EssaNodes. So we need to go back from the EssaDefinition/EssaVariable that
     // reaches the end of the module, to the first definition of the variable, and then
     // track forwards using use-use flow to find a suitable CFG node that has flow into
     // it from use-use flow.
-    exists(SsaImpl::EssaVariable lastUseVar, SsaImpl::EssaVariable firstDef |
+    exists(EssaVariable lastUseVar, EssaVariable firstDef |
       lastUseVar.getName() = name and
       // we ignore special variable $ introduced by our analysis (not used for anything)
       // we ignore special variable * introduced by `from <pkg> import *` -- TODO: understand why we even have this?
       not name in ["$", "*"] and
-      exists(Cfg::ControlFlowNode exit |
-        exit.isNormalExit() and exit.getScope() = m and lastUseVar.getAUse() = exit
-      ) and
+      lastUseVar.getAUse() = m.getANormalExit() and
       allowedEssaImportStep*(firstDef, lastUseVar) and
       not allowedEssaImportStep(_, firstDef)
     |
       not LocalFlow::defToFirstUse(firstDef, _) and
-      val.asCfgNode() = firstDef.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode()
+      val.asCfgNode() = firstDef.getDefinition().(EssaNodeDefinition).getDefiningNode()
       or
-      exists(Cfg::ControlFlowNode mid, Cfg::ControlFlowNode end |
+      exists(ControlFlowNode mid, ControlFlowNode end |
         LocalFlow::defToFirstUse(firstDef, mid) and
         LocalFlow::useToNextUse*(mid, end) and
         not LocalFlow::useToNextUse(end, _) and
@@ -164,9 +155,9 @@ module ImportResolution {
    * handles simple cases where we can statically tell that this is the case.
    */
   private predicate all_mentions_name(Module m, string name) {
-    exists(Cfg::DefinitionNode def, Cfg::SequenceNode n |
+    exists(DefinitionNode def, SequenceNode n |
       def.getValue() = n and
-      def.(Cfg::NameNode).getId() = "__all__" and
+      def.(NameNode).getId() = "__all__" and
       def.getScope() = m and
       any(StringLiteral s | s.getText() = name) = n.getAnElement().getNode()
     )
@@ -179,20 +170,18 @@ module ImportResolution {
    */
   private predicate no_or_complicated_all(Module m) {
     // No mention of `__all__` in the module
-    not exists(Cfg::DefinitionNode def |
-      def.getScope() = m and def.(Cfg::NameNode).getId() = "__all__"
-    )
+    not exists(DefinitionNode def | def.getScope() = m and def.(NameNode).getId() = "__all__")
     or
     // `__all__` is set to a non-sequence value
-    exists(Cfg::DefinitionNode def |
-      def.(Cfg::NameNode).getId() = "__all__" and
+    exists(DefinitionNode def |
+      def.(NameNode).getId() = "__all__" and
       def.getScope() = m and
-      not def.getValue() instanceof Cfg::SequenceNode
+      not def.getValue() instanceof SequenceNode
     )
     or
     // `__all__` is used in some way that doesn't involve storing a value in it. This usually means
     // it is being mutated through `append` or `extend`, which we don't handle.
-    exists(Cfg::NameNode n | n.getId() = "__all__" and n.getScope() = m and n.isLoad())
+    exists(NameNode n | n.getId() = "__all__" and n.getScope() = m and n.isLoad())
   }
 
   private predicate potential_module_export(Module m, string name) {
@@ -200,7 +189,7 @@ module ImportResolution {
     or
     no_or_complicated_all(m) and
     (
-      exists(Cfg::NameNode n | n.getId() = name and n.getScope() = m and name.charAt(0) != "_")
+      exists(NameNode n | n.getId() = name and n.getScope() = m and name.charAt(0) != "_")
       or
       exists(Alias a | a.getAsname().(Name).getId() = name and a.getValue().getScope() = m)
     )
@@ -230,12 +219,12 @@ module ImportResolution {
 
   /** Gets a module that may have been added to `sys.modules`. */
   private Module sys_modules_module_with_name(string name) {
-    exists(Cfg::ControlFlowNode n, DataFlow::Node mod |
-      exists(Cfg::SubscriptNode sub |
+    exists(ControlFlowNode n, DataFlow::Node mod |
+      exists(SubscriptNode sub |
         sub.getObject() = sys_modules_reference().asCfgNode() and
         sub.getIndex() = n and
         n.getNode().(StringLiteral).getText() = name and
-        sub.(Cfg::DefinitionNode).getValue() = mod.asCfgNode() and
+        sub.(DefinitionNode).getValue() = mod.asCfgNode() and
         mod = getModuleReference(result)
       )
     )
@@ -347,11 +336,11 @@ module ImportResolution {
     // name as a submodule, we always consider that this attribute _could_ be a
     // reference to the submodule, even if we don't know that the submodule has been
     // imported yet.
-    exists(string submodule, Module package, SsaImpl::EssaVariable var |
+    exists(string submodule, Module package, EssaVariable var |
       submodule = var.getName() and
-      initModuleSubmoduleDefn(var.getSourceVariable().getVariable(), package) and
+      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
       m = getModuleFromName(package.getPackageName() + "." + submodule) and
-      result.asCfgNode() = var.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode()
+      result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
     )
   }
 

python/ql/lib/semmle/python/dataflow/new/internal/ImportStar.qll

@@ -3,7 +3,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.internal.Builtins
 private import semmle.python.dataflow.new.internal.ImportResolution
 private import semmle.python.dataflow.new.DataFlow
@@ -16,7 +15,7 @@ module ImportStar {
    */
   overlay[local]
   cached
-  predicate namePossiblyDefinedInImportStar(Cfg::NameNode n, string name, Scope s) {
+  predicate namePossiblyDefinedInImportStar(NameNode n, string name, Scope s) {
     n.isLoad() and
     name = n.getId() and
     s = n.getScope().getEnclosingScope*() and
@@ -53,7 +52,7 @@ module ImportStar {
   /** Holds if a global variable called `name` is assigned a value in the module `m`. */
   cached
   predicate globalNameDefinedInModule(string name, Module m) {
-    exists(Cfg::NameNode n |
+    exists(NameNode n |
       not exists(LocalVariable v | n.defines(v)) and
       n.isStore() and
       name = n.getId() and
@@ -67,7 +66,7 @@ module ImportStar {
    */
   overlay[global]
   cached
-  predicate importStarResolvesTo(Cfg::NameNode n, Module m) {
+  predicate importStarResolvesTo(NameNode n, Module m) {
     m = getStarImported+(n.getEnclosingModule()) and
     globalNameDefinedInModule(n.getId(), m) and
     not isDefinedLocally(n.getNode())
@@ -100,7 +99,7 @@ module ImportStar {
    */
   overlay[local]
   cached
-  Cfg::ControlFlowNode potentialImportStarBase(Scope s) {
-    result = any(Cfg::ImportStarNode n | n.getScope() = s).getModule()
+  ControlFlowNode potentialImportStarBase(Scope s) {
+    result = any(ImportStarNode n | n.getScope() = s).getModule()
   }
 }

python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll

@@ -170,8 +170,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import DataFlowPublic
 
 /**
@@ -180,7 +178,7 @@ private import DataFlowPublic
  * This class abstracts away the differing representations of comprehensions and
  * for statements.
  */
-class ForTarget extends Cfg::ControlFlowNode {
+class ForTarget extends ControlFlowNode {
   Expr source;
 
   ForTarget() {
@@ -200,7 +198,7 @@ class ForTarget extends Cfg::ControlFlowNode {
 }
 
 /** The LHS of an assignment, it also records the assigned value. */
-class AssignmentTarget extends Cfg::ControlFlowNode {
+class AssignmentTarget extends ControlFlowNode {
   Expr value;
 
   AssignmentTarget() {
@@ -211,7 +209,7 @@ class AssignmentTarget extends Cfg::ControlFlowNode {
 }
 
 /** A direct (or top-level) target of an unpacking assignment. */
-class UnpackingAssignmentDirectTarget extends Cfg::ControlFlowNode instanceof Cfg::SequenceNode {
+class UnpackingAssignmentDirectTarget extends ControlFlowNode instanceof SequenceNode {
   Expr value;
 
   UnpackingAssignmentDirectTarget() {
@@ -224,7 +222,7 @@ class UnpackingAssignmentDirectTarget extends Cfg::ControlFlowNode instanceof Cf
 }
 
 /** A (possibly recursive) target of an unpacking assignment. */
-class UnpackingAssignmentTarget extends Cfg::ControlFlowNode {
+class UnpackingAssignmentTarget extends ControlFlowNode {
   UnpackingAssignmentTarget() {
     this instanceof UnpackingAssignmentDirectTarget
     or
@@ -233,11 +231,10 @@ class UnpackingAssignmentTarget extends Cfg::ControlFlowNode {
 }
 
 /** A (possibly recursive) target of an unpacking assignment which is also a sequence. */
-class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof Cfg::SequenceNode
-{
-  Cfg::ControlFlowNode getElement(int i) { result = super.getElement(i) }
+class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof SequenceNode {
+  ControlFlowNode getElement(int i) { result = super.getElement(i) }
 
-  Cfg::ControlFlowNode getAnElement() { result = this.getElement(_) }
+  ControlFlowNode getAnElement() { result = this.getElement(_) }
 }
 
 /**
@@ -258,7 +255,7 @@ predicate iterableUnpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
 predicate iterableUnpackingForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
   exists(ForTarget target |
     nodeFrom.getNode().getNode() = target.getSource() and
-    target instanceof Cfg::SequenceNode and
+    target instanceof SequenceNode and
     nodeTo = TIterableSequenceNode(target)
   ) and
   (
@@ -326,11 +323,11 @@ predicate iterableUnpackingConvertingStoreStep(Node nodeFrom, Content c, Node no
  */
 predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo) {
   exists(
-    UnpackingAssignmentSequenceTarget target, int index, Cfg::ControlFlowNode element, int starIndex
+    UnpackingAssignmentSequenceTarget target, int index, ControlFlowNode element, int starIndex
   |
-    target.getElement(starIndex) instanceof Cfg::StarredNode
+    target.getElement(starIndex) instanceof StarredNode
     or
-    not exists(target.getAnElement().(Cfg::StarredNode)) and
+    not exists(target.getAnElement().(StarredNode)) and
     starIndex = -1
   |
     nodeFrom.(CfgNode).getNode() = target and
@@ -345,18 +342,18 @@ predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo
         else c.(TupleElementContent).getIndex() >= index - 1
     ) and
     (
-      if element instanceof Cfg::SequenceNode
+      if element instanceof SequenceNode
       then
         // Step 5b
         nodeTo = TIterableSequenceNode(element)
       else
-        if element instanceof Cfg::StarredNode
+        if element instanceof StarredNode
         then
           // Step 5c
           nodeTo = TIterableElementNode(element)
         else
           // Step 5a
-          exists(SsaImpl::MultiAssignmentDefinition mad | element = mad.getDefiningNode() |
+          exists(MultiAssignmentDefinition mad | element = mad.getDefiningNode() |
             nodeTo.(CfgNode).getNode() = element
           )
     )
@@ -369,7 +366,7 @@ predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo
  * content type `ListElementContent`.
  */
 predicate iterableUnpackingStarredElementStoreStep(Node nodeFrom, Content c, Node nodeTo) {
-  exists(Cfg::ControlFlowNode starred, SsaImpl::MultiAssignmentDefinition mad |
+  exists(ControlFlowNode starred, MultiAssignmentDefinition mad |
     starred.getNode() instanceof Starred and
     starred = mad.getDefiningNode()
   |

python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll

@@ -9,7 +9,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import DataFlowPublic
 private import DataFlowPrivate
 private import semmle.python.internal.CachedStages
@@ -315,7 +314,7 @@ private module Cached {
    */
   cached
   predicate subscript(LocalSourceNode node, CfgNode subscript, CfgNode index) {
-    exists(CfgNode seq, Cfg::SubscriptNode subscriptNode | subscriptNode = subscript.getNode() |
+    exists(CfgNode seq, SubscriptNode subscriptNode | subscriptNode = subscript.getNode() |
       node.flowsTo(seq) and
       seq.getNode() = subscriptNode.getObject() and
       index.getNode() = subscriptNode.getIndex()

python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll

@@ -91,7 +91,9 @@ predicate matchAsFlowStep(Node nodeFrom, Node nodeTo) {
     or
     // the interior pattern flows to the alias
     nodeFrom.(CfgNode).getNode().getNode() = subject.getPattern() and
-    nodeTo.(CfgNode).getNode().getNode() = alias
+    exists(PatternAliasDefinition pad | pad.getDefiningNode().getNode() = alias |
+      nodeTo.(CfgNode).getNode() = pad.getDefiningNode()
+    )
   )
 }
 
@@ -122,9 +124,11 @@ predicate matchLiteralFlowStep(Node nodeFrom, Node nodeTo) {
  * syntax (toplevel): `case var:`
  */
 predicate matchCaptureFlowStep(Node nodeFrom, Node nodeTo) {
-  exists(MatchCapturePattern capture |
+  exists(MatchCapturePattern capture, Name var | capture.getVariable() = var |
     nodeFrom.(CfgNode).getNode().getNode() = capture and
-    nodeTo.(CfgNode).getNode().getNode() = capture.getVariable()
+    exists(PatternCaptureDefinition pcd | pcd.getDefiningNode().getNode() = var |
+      nodeTo.(CfgNode).getNode() = pcd.getDefiningNode()
+    )
   )
 }
 

python/ql/lib/semmle/python/dataflow/new/internal/SsaImpl.qll

@@ -1,548 +0,0 @@
-/**
- * Provides the Python SSA implementation built on the new (shared) CFG.
- *
- * Mirrors the Java SSA adapter at
- * `java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll`:
- * an `InputSig` is defined in terms of positional `(BasicBlock, int)`
- * variable references, and the shared
- * `codeql.ssa.Ssa::Make<Location, Cfg, Input>` module is then
- * instantiated.
- *
- * `SourceVariable` is the AST-level `Py::Variable`. Variable references
- * are looked up via the CFG facade's `NameNode.defines`/`uses`/`deletes`
- * predicates, which themselves are one-line bridges to AST-level
- * `Name.defines`/`uses`/`deletes`.
- *
- * Implicit-entry definitions are inserted for:
- *   - non-local / global / builtin variables that are read in the scope
- *     but never assigned (no enclosing CFG node defines them),
- *   - captured variables (variables defined in an enclosing scope that
- *     are read inside the scope), and
- *   - parameters, but only if the corresponding parameter name is *not*
- *     itself a CFG node. With the C#-style parameter wiring already
- *     installed in `AstNodeImpl.qll`, parameter names *are* CFG nodes,
- *     so the regular `variableWrite` path handles them — no `i = -1`
- *     entry is needed for ordinary parameters.
- */
-overlay[local?]
-module;
-
-private import python as Py
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import codeql.ssa.Ssa as SsaImplCommon
-private import codeql.controlflow.BasicBlock as BB
-
-/**
- * Adapts the Python `Cfg` facade to the shared SSA library's `CfgSig`.
- * All members are inherited from `Cfg::ControlFlowNode` and
- * `Cfg::BasicBlock`.
- */
-private module CfgForSsa implements BB::CfgSig<Py::Location> {
-  class ControlFlowNode = CfgImpl::ControlFlowNode;
-
-  class BasicBlock = CfgImpl::BasicBlock;
-
-  class EntryBasicBlock = CfgImpl::Cfg::EntryBasicBlock;
-
-  predicate dominatingEdge = CfgImpl::Cfg::dominatingEdge/2;
-}
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- *
- * We only track variables that are read at least once in their scope —
- * tracking write-only variables would be unnecessary work — *except*
- * for module-scope globals, where the "read" can be external (e.g.
- * `import mymodule; mymodule.x`). Such globals are tracked
- * unconditionally so that import-resolution can find their defining
- * write.
- */
-private newtype TSsaSourceVariable =
-  TPyVar(Py::Variable v) {
-    // Has a use somewhere — read-relevant for SSA.
-    exists(Cfg::NameNode n | n.uses(v))
-    or
-    // Or has a deletion (treated as a write that destroys the value).
-    exists(Cfg::NameNode n | n.deletes(v))
-    or
-    // Or is a module-scope global written in this module — must be
-    // tracked even if never read locally, because importers may read
-    // it as an attribute on the module object.
-    v.getScope() instanceof Py::Module and
-    exists(Cfg::NameNode n | n.defines(v))
-    or
-    // Or is a parameter — parameters must always have a
-    // `ParameterDefinition` for dataflow argument-routing to work,
-    // even if the parameter is never read in its scope. Mirrors
-    // legacy ESSA's `ParameterDefinition` (which fired for every
-    // parameter binding regardless of liveness).
-    exists(Py::Parameter p | p.asName() = v.getAStore())
-  }
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- */
-class SsaSourceVariable extends TSsaSourceVariable {
-  /** Gets the underlying Python AST variable. */
-  Py::Variable getVariable() { this = TPyVar(result) }
-
-  /** Gets the (textual) name of this variable. */
-  string getName() { result = this.getVariable().getId() }
-
-  /** Gets a textual representation of this source variable. */
-  string toString() { result = this.getVariable().toString() }
-
-  /** Gets the location of this source variable. */
-  Py::Location getLocation() { result = this.getVariable().getScope().getLocation() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getVariable().getScope() }
-
-  /**
-   * Gets a use of this variable as it appears in the source — a `NameNode`
-   * that loads or deletes the variable. Mirrors legacy
-   * `SsaSourceVariable.getASourceUse()`.
-   */
-  Cfg::ControlFlowNode getASourceUse() {
-    exists(Cfg::NameNode n | result = n |
-      n.uses(this.getVariable()) or n.deletes(this.getVariable())
-    )
-  }
-
-  /**
-   * Gets an implicit use of this variable. The new SSA does not have
-   * implicit-use refinements, but we keep this for API parity — every
-   * normal-exit of the variable's scope counts as a sink, ensuring
-   * variables stay live to scope exit for taint-tracking.
-   */
-  Cfg::ControlFlowNode getAnImplicitUse() {
-    result.isNormalExit() and result.getScope() = this.getScope()
-  }
-
-  /**
-   * Gets a use of this variable — either an explicit source use or an
-   * implicit use at scope exit. Mirrors legacy `SsaSourceVariable.getAUse()`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    result = this.getASourceUse() or result = this.getAnImplicitUse()
-  }
-}
-
-/**
- * Holds if `v` is a non-local read in scope `s`, in the sense that `s`
- * uses `v` but does not write it within `s`. This includes globals,
- * builtins, and variables captured from an enclosing function scope.
- *
- * The `Py::Variable` `v` lives in some defining scope (the module for
- * globals, an outer function for closures, etc.); the reading scope
- * `s` is the scope where the use of `v` occurs.
- */
-private predicate nonLocalReadIn(Py::Variable v, Py::Scope s) {
-  exists(Cfg::NameNode n |
-    n.uses(v) and
-    n.getScope() = s and
-    not exists(Cfg::NameNode def | def.defines(v) and def.getScope() = s)
-  ) and
-  // Match legacy ESSA: only create entry defs for variables that have
-  // at least one defining store somewhere — otherwise the entry def
-  // represents "nothing reaches here", which is the default anyway and
-  // introduces no useful flow. (Legacy's `ModuleVariable` required a
-  // store; this is the closure-aware generalisation.)
-  exists(Cfg::NameNode store | store.defines(v))
-}
-
-/**
- * Holds if `bb` is the entry basic block of a scope where `v` should
- * have an implicit entry definition. This covers:
- *   - non-local / global / builtin variables read in `s`, and
- *   - captured variables (defined in an enclosing scope but read in `s`).
- *
- * Each reading scope gets its own entry def, so a closure variable can
- * have multiple entry defs across all functions/methods that read it.
- *
- * Parameters are *not* included: their bound `Name` is itself a CFG
- * node (per the C#-style parameter wiring), so `variableWrite` fires at
- * the parameter's natural CFG index.
- */
-private predicate hasEntryDefIn(SsaSourceVariable v, CfgImpl::BasicBlock bb) {
-  exists(Py::Scope s |
-    nonLocalReadIn(v.getVariable(), s) and
-    bb = entryBlock(s)
-  )
-}
-
-/**
- * Gets the entry basic block of scope `s`, where implicit entry
- * definitions are placed (at synthetic index `-1`).
- */
-private CfgImpl::BasicBlock entryBlock(Py::Scope s) {
-  exists(CfgImpl::ControlFlowNode entry |
-    entry instanceof CfgImpl::ControlFlow::EntryNode and
-    entry.getEnclosingCallable().asScope() = s and
-    result = entry.getBasicBlock()
-  )
-}
-
-/**
- * The SSA `InputSig` for Python. References are positional
- * `(BasicBlock, int)` pairs into the new CFG.
- */
-private module SsaImplInput implements SsaImplCommon::InputSig<Py::Location, CfgImpl::BasicBlock> {
-  class SourceVariable = SsaSourceVariable;
-
-  predicate variableWrite(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit binding at a CFG node — includes assignments,
-    // parameter Names (wired in via the C# pattern), exception-handler
-    // `as`-bindings, import aliases, and match-pattern captures.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.defines(v.getVariable()) and
-      certain = true
-    )
-    or
-    // `del x` — removes the binding. Modelled as a certain write that
-    // makes any subsequent read invalid.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.deletes(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Implicit entry definition for non-local / captured / global /
-    // builtin variables read in some scope. Each reading scope's entry
-    // block gets one such write, allowing closures: e.g. when `x` is a
-    // parameter of an outer function and read inside a nested
-    // function, both scopes get entry defs for `x`.
-    hasEntryDefIn(v, bb) and
-    i = -1 and
-    certain = true
-    or
-    // `from X import *` — possibly rebinds every name in the importing
-    // scope. Modelled as an uncertain write at the import-star's CFG
-    // position for every variable that lives in (or is referenced
-    // from) the same scope as the import-star. Mirrors legacy ESSA's
-    // `ImportStarRefinement` (see `essa/SsaDefinitions.qll`'s
-    // `import_star_refinement` predicate). The write is uncertain so
-    // that prior definitions of the variable remain available — the
-    // shared-SSA `SsaUncertainWrite` merges the new value with the
-    // immediately preceding definition.
-    exists(Cfg::ImportStarNode imp |
-      imp.injects(_) and
-      bb.getNode(i) = imp and
-      certain = false and
-      (
-        v.getVariable().getScope() = imp.getScope()
-        or
-        // Variable is defined in some other scope but referenced in
-        // the same scope as the import-star (matches legacy clause 2:
-        // `other.uses(v) and def.getScope() = other.getScope()`).
-        exists(Cfg::NameNode other |
-          other.uses(v.getVariable()) and
-          imp.getScope() = other.getScope()
-        )
-      )
-    )
-  }
-
-  predicate variableRead(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit source use — a `Name` load or a `del x` of the variable.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.uses(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Synthetic use at the normal exit of the variable's defining scope.
-    // This keeps every variable live to scope exit so that callers (e.g.
-    // `module_export` in ImportResolution.qll, or taint-tracking pass-through
-    // through unread locals) can ask "which definition reaches end of
-    // scope?". Mirrors legacy ESSA's `SsaSourceVariable.getAUse()` which
-    // included `getScope().getANormalExit()`.
-    exists(Cfg::ControlFlowNode exit |
-      exit.isNormalExit() and
-      exit.getScope() = v.getVariable().getScope() and
-      bb.getNode(i) = exit and
-      certain = true
-    )
-  }
-}
-
-/**
- * The shared SSA instantiation for Python.
- *
- * Members:
- *   - `Definition` — the union of explicit, uncertain, and phi definitions
- *   - `WriteDefinition`, `UncertainWriteDefinition`, `PhiNode`
- *   - the standard SSA predicates (`getAUse`, `getAnUltimateDefinition`, ...).
- */
-module Ssa = SsaImplCommon::Make<Py::Location, CfgForSsa, SsaImplInput>;
-
-final class Definition = Ssa::Definition;
-
-final class WriteDefinition = Ssa::WriteDefinition;
-
-final class UncertainWriteDefinition = Ssa::UncertainWriteDefinition;
-
-final class PhiNode = Ssa::PhiNode;
-
-// ===========================================================================
-// ESSA-shaped adapter layer
-//
-// The dataflow library (`python/ql/lib/semmle/python/dataflow/new/`) and
-// related modules (`ApiGraphs.qll`, etc.) consume the legacy ESSA API
-// (`EssaVariable`, `EssaDefinition`, `AssignmentDefinition`,
-// `ScopeEntryDefinition`, `ParameterDefinition`, `WithDefinition`,
-// `PhiFunction`, plus the `AdjacentUses` module). To migrate them off
-// the legacy CFG, we expose the same API surface on top of the
-// shared SSA built above.
-//
-// This adapter is intentionally narrow: it covers only the predicates
-// that new dataflow consumes. The richer legacy ESSA — refinement
-// nodes, attribute refinements, edge refinements — stays available
-// via `semmle.python.essa.Essa` for points-to / legacy code.
-// ===========================================================================
-/**
- * Gets the CFG node at which a write definition's binding takes place.
- *
- * For ordinary writes (assignment, deletion, parameter) this is the
- * canonical CFG node of the bound Name. For implicit entry definitions
- * (synthesised at position `-1` of a scope's entry BB) this is the
- * scope's entry node.
- */
-private Cfg::ControlFlowNode writeDefNode(Ssa::WriteDefinition def) {
-  exists(CfgImpl::BasicBlock bb, int i | def.definesAt(_, bb, i) |
-    i >= 0 and result = bb.getNode(i)
-    or
-    i = -1 and result = bb.getNode(0)
-  )
-}
-
-/**
- * A write definition whose binding has a corresponding CFG node — i.e.
- * everything that's not a phi node. Mirrors legacy ESSA's
- * `EssaNodeDefinition`.
- */
-class EssaNodeDefinition extends Ssa::WriteDefinition {
-  /** Gets the CFG node where this definition's binding takes place. */
-  Cfg::ControlFlowNode getDefiningNode() { result = writeDefNode(this) }
-
-  /** Gets the variable defined here (legacy name). */
-  SsaSourceVariable getVariable() { result = this.getSourceVariable() }
-
-  /** Gets the enclosing scope. */
-  Py::Scope getScope() {
-    exists(Cfg::ControlFlowNode n | n = this.getDefiningNode() | result = n.getScope())
-  }
-
-  /**
-   * Holds if this definition defines source variable `v` at CFG node
-   * `defNode`. Flatter form of `getSourceVariable()` +
-   * `getDefiningNode()`, matching legacy ESSA's `definedBy`.
-   */
-  predicate definedBy(SsaSourceVariable v, Cfg::ControlFlowNode defNode) {
-    v = this.getSourceVariable() and defNode = this.getDefiningNode()
-  }
-}
-
-/**
- * An assignment definition: any binding where the value being assigned
- * is statically known via `Cfg::DefinitionNode.getValue()`. Includes
- * plain assignments, walrus, annotated assignments, augmented
- * assignments, import aliases (`import x` / `from m import x [as y]`),
- * `with ... as x`, and for-target bindings (where `getValue()` returns
- * the iter expression's CFG node). Excludes parameter bindings —
- * those are modelled by `ParameterDefinition`.
- */
-class AssignmentDefinition extends EssaNodeDefinition {
-  AssignmentDefinition() {
-    exists(Cfg::NameNode n | n = this.getDefiningNode() |
-      exists(n.(Cfg::DefinitionNode).getValue()) and
-      not n.(Cfg::ControlFlowNode).isParameter()
-    )
-  }
-
-  /** Gets the CFG node for the value being assigned, if statically known. */
-  Cfg::ControlFlowNode getValue() {
-    result = this.getDefiningNode().(Cfg::DefinitionNode).getValue()
-  }
-}
-
-/**
- * A parameter definition — the binding of a parameter name in a
- * function's scope.
- */
-class ParameterDefinition extends EssaNodeDefinition {
-  ParameterDefinition() { this.getDefiningNode().isParameter() }
-
-  /** Gets the AST `Parameter` (a `Py::Name` in param context). */
-  Py::Name getParameter() { result = this.getDefiningNode().getNode() }
-}
-
-/**
- * A definition introduced by a `with ... as x:` clause.
- */
-class WithDefinition extends EssaNodeDefinition {
-  WithDefinition() {
-    exists(Cfg::NameNode n, Py::With w |
-      n = this.getDefiningNode() and
-      w.getOptionalVars() = n.getNode()
-    )
-  }
-}
-
-/**
- * An assignment where the LHS is a tuple/list and the RHS is unpacked:
- * `a, b = (1, 2)` or `a, *rest = xs`. The SSA def lives at the inner
- * `Name` CFG node, but for IterableUnpacking integration we expose
- * the enclosing `StarredNode` as the `getDefiningNode()` for `*rest`
- * patterns — mirroring legacy ESSA's `multi_assignment_definition`,
- * which placed the def at the StarredNode CFG node.
- */
-class MultiAssignmentDefinition extends EssaNodeDefinition {
-  MultiAssignmentDefinition() {
-    exists(Cfg::NameNode n | n = super.getDefiningNode() |
-      exists(Py::Assign a, Py::Expr lhs |
-        a.getATarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-      or
-      // For-loop with tuple/list target: `for a, b in xs:` —
-      // tuple-unpacking semantics applies to the for-target.
-      exists(Py::For f, Py::Expr lhs |
-        f.getTarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-    )
-  }
-
-  override Cfg::ControlFlowNode getDefiningNode() {
-    // Default: the underlying `Name` CFG node (where the SSA def lives).
-    not exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    ) and
-    result = super.getDefiningNode()
-    or
-    // Exception: for `*rest`, expose the enclosing `Starred` CFG node
-    // so that `IterableUnpacking::iterableUnpackingStarredElementStoreStep`
-    // can attach the rest-list to it.
-    exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    |
-      result = s
-    )
-  }
-}
-
-/**
- * An implicit entry definition for a non-local / captured / global /
- * builtin variable read in a scope but not defined there.
- *
- * Inherits from `EssaNodeDefinition` and exposes the scope's entry node
- * as its defining node (matching legacy ESSA semantics).
- */
-class ScopeEntryDefinition extends EssaNodeDefinition {
-  ScopeEntryDefinition() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      bb instanceof CfgImpl::Cfg::EntryBasicBlock
-    )
-  }
-
-  /** Gets the enclosing scope (the scope whose entry block this def is in). */
-  override Py::Scope getScope() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      result = bb.getNode(0).(Cfg::ControlFlowNode).getScope()
-    )
-  }
-}
-
-/** A phi node (alias matching legacy naming). */
-class PhiFunction extends PhiNode {
-  /**
-   * Gets an input to this phi function (a definition that flows into
-   * the phi from one of its predecessor blocks). Mirrors legacy
-   * ESSA's `PhiFunction.getAnInput()`.
-   */
-  Ssa::Definition getAnInput() { Ssa::phiHasInputFromBlock(this, result, _) }
-}
-
-/** Base class for all ESSA definitions (legacy-shaped). */
-class EssaDefinition = Ssa::Definition;
-
-/**
- * An adapter representing a single SSA-defined "variable" — wrapping
- * one `Ssa::Definition`. Mirrors legacy `EssaVariable` API.
- */
-class EssaVariable extends Ssa::Definition {
-  /** Gets the underlying SSA definition (legacy name). */
-  Ssa::Definition getDefinition() { result = this }
-
-  /**
-   * Gets a CFG node where this definition is used. Includes regular
-   * `Name` reads as well as the synthetic scope-exit "use" registered
-   * via `SsaImplInput::variableRead` — mirrors legacy ESSA's
-   * `EssaVariable.getAUse()` which inherited the synthetic exit-use
-   * from `SsaSourceVariable`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::ssaDefReachesRead(this.getSourceVariable(), this, bb, i) and
-      bb.getNode(i) = result
-    )
-  }
-
-  /** Gets the (textual) name of the underlying variable. */
-  string getName() { result = this.getSourceVariable().getVariable().getId() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getSourceVariable().getVariable().getScope() }
-
-  /** Gets an ultimate non-phi ancestor of this definition. */
-  EssaVariable getAnUltimateDefinition() {
-    if this instanceof PhiNode
-    then
-      exists(Ssa::Definition input |
-        Ssa::phiHasInputFromBlock(this, input, _) and
-        result = input.(EssaVariable).getAnUltimateDefinition()
-      )
-    else result = this
-  }
-}
-
-/**
- * Adjacent use-use and def-use relations exposed by the shared SSA
- * library. Provides the same interface as legacy
- * `semmle.python.essa.SsaCompute::AdjacentUses`.
- */
-module AdjacentUses {
-  /** Holds if `nodeFrom` and `nodeTo` are adjacent uses of the same SSA variable. */
-  predicate adjacentUseUse(Cfg::NameNode nodeFrom, Cfg::NameNode nodeTo) {
-    exists(SsaSourceVariable v, CfgImpl::BasicBlock bb1, int i1, CfgImpl::BasicBlock bb2, int i2 |
-      Ssa::adjacentUseUse(bb1, i1, bb2, i2, v, _) and
-      nodeFrom = bb1.getNode(i1) and
-      nodeTo = bb2.getNode(i2)
-    )
-  }
-
-  /** Holds if `use` is a first use of definition `def`. */
-  predicate firstUse(Ssa::Definition def, Cfg::NameNode use) {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::firstUse(def, bb, i, _) and
-      use = bb.getNode(i)
-    )
-  }
-
-  /**
-   * Holds if `use` is any reachable use of definition `def`. Combines
-   * `firstUse` with transitive use-use adjacency.
-   */
-  predicate useOfDef(Ssa::Definition def, Cfg::NameNode use) {
-    firstUse(def, use)
-    or
-    exists(Cfg::NameNode mid | useOfDef(def, mid) and adjacentUseUse(mid, use))
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -1,6 +1,4 @@
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -99,7 +97,7 @@ import Cached
  * and isn't a big problem in practice.
  */
 predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
-  exists(Cfg::BinaryExprNode add | add = nodeTo.getNode() |
+  exists(BinaryExprNode add | add = nodeTo.getNode() |
     add.getOp() instanceof Add and add.getAnOperand() = nodeFrom.getNode()
   )
 }
@@ -108,7 +106,7 @@ predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
  * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to subscripting.
  */
 predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
-  nodeTo.getNode().(Cfg::SubscriptNode).getObject() = nodeFrom.getNode()
+  nodeTo.getNode().(SubscriptNode).getObject() = nodeFrom.getNode()
 }
 
 /**
@@ -124,15 +122,15 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
     (
       call = API::builtin(["str", "bytes", "unicode"]).getACall()
       or
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() in ["str", "bytes", "unicode"]
+      call.getFunction().asCfgNode().(NameNode).getId() in ["str", "bytes", "unicode"]
     ) and
     nodeFrom in [call.getArg(0), call.getArgByName("object")]
   )
   or
   // String methods. Note that this doesn't recognize `meth = "foo".upper; meth()`
-  exists(Cfg::CallNode call, string method_name, Cfg::ControlFlowNode object |
+  exists(CallNode call, string method_name, ControlFlowNode object |
     call = nodeTo.getNode() and
-    object = call.getFunction().(Cfg::AttrNode).getObject(method_name)
+    object = call.getFunction().(AttrNode).getObject(method_name)
   |
     nodeFrom.getNode() = object and
     method_name in [
@@ -158,7 +156,7 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
   )
   or
   // % formatting
-  exists(Cfg::BinaryExprNode fmt | fmt = nodeTo.getNode() |
+  exists(BinaryExprNode fmt | fmt = nodeTo.getNode() |
     fmt.getOp() instanceof Mod and
     (
       fmt.getLeft() = nodeFrom.getNode()
@@ -168,7 +166,7 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
   )
   or
   // string multiplication -- `"foo" * 10`
-  exists(Cfg::BinaryExprNode mult | mult = nodeTo.getNode() |
+  exists(BinaryExprNode mult | mult = nodeTo.getNode() |
     mult.getOp() instanceof Mult and
     mult.getLeft() = nodeFrom.getNode()
   )
@@ -215,8 +213,8 @@ predicate awaitStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
  * the variable `f` is tainted if the result of `open("foo")` is tainted.
  */
 predicate asyncWithStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  exists(With with, Cfg::ControlFlowNode contextManager, Cfg::ControlFlowNode var |
-    var = any(SsaImpl::WithDefinition wd).getDefiningNode()
+  exists(With with, ControlFlowNode contextManager, ControlFlowNode var |
+    var = any(WithDefinition wd).getDefiningNode()
   |
     nodeFrom.(DataFlow::CfgNode).getNode() = contextManager and
     nodeTo.(DataFlow::CfgNode).getNode() = var and

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

@@ -2,8 +2,6 @@ import codeql.util.Unit
 import codeql.typetracking.TypeTracking as Shared
 import codeql.typetracking.internal.TypeTrackingImpl as SharedImpl
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.internal.CachedStages
 private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
@@ -164,7 +162,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
     // ignore the flow steps from the synthetic sequence node to the real sequence node,
     // since we only support one level of content in type-trackers, and the nested
     // structure requires two levels at least to be useful.
-    not exists(Cfg::SequenceNode outer |
+    not exists(SequenceNode outer |
       outer.getAnElement() = nodeTo.asCfgNode() and
       IterableUnpacking::iterableUnpackingTupleFlowStep(nodeFrom, nodeTo)
     )
@@ -269,7 +267,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
     // Since we only support one level of content in type-trackers we don't actually
     // support `(aa, ab), (ba, bb) = ...`. Therefore we exclude the read-step from `(aa,
     // ab)` to `aa` (since it is not needed).
-    not exists(Cfg::SequenceNode outer |
+    not exists(SequenceNode outer |
       outer.getAnElement() = nodeFrom.asCfgNode() and
       IterableUnpacking::iterableUnpackingTupleFlowStep(_, nodeFrom)
     ) and
@@ -279,7 +277,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
       IterableUnpacking::iterableUnpackingForReadStep(_, _, seq) and
       IterableUnpacking::iterableUnpackingConvertingReadStep(seq, _, elem) and
       IterableUnpacking::iterableUnpackingConvertingStoreStep(elem, _, nodeFrom) and
-      nodeFrom.asCfgNode() instanceof Cfg::SequenceNode
+      nodeFrom.asCfgNode() instanceof SequenceNode
     )
     or
     TypeTrackerSummaryFlow::basicLoadStep(nodeFrom, nodeTo, DataFlowPublic::singleton(content))
@@ -317,15 +315,13 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
     //
     // nodeFrom is `expr`
     // nodeTo is entry node for `f`
-    exists(
-      SsaImpl::ScopeEntryDefinition e, SsaImpl::SsaSourceVariable var, Cfg::DefinitionNode def
-    |
+    exists(ScopeEntryDefinition e, SsaSourceVariable var, DefinitionNode def |
       e.getSourceVariable() = var and
-      def.getNode() = var.getVariable().getAStore()
+      var.hasDefiningNode(def)
     |
       nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and
       nodeFrom.asCfgNode() = def and
-      var.getVariable().getScope().getScope*() = nodeFrom.getScope()
+      var.getScope().getScope*() = nodeFrom.getScope()
     )
   }
 

python/ql/lib/semmle/python/dataflow/new/internal/VariableCapture.qll

@@ -3,9 +3,6 @@ overlay[local]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import DataFlowPublic
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
 private import codeql.dataflow.VariableCapture as Shared
@@ -17,10 +14,10 @@ private import codeql.dataflow.VariableCapture as Shared
 // The first is the main implementation, the second is a performance motivated restriction.
 // The restriction is to clear any `CapturedVariableContent` before writing a new one
 // to avoid long access paths (see the link for a nice explanation).
-private module CaptureInput implements Shared::InputSig<Location, CfgImpl::BasicBlock> {
+private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBlock> {
   private import python as PY
 
-  additional class ExprCfgNode extends Cfg::ControlFlowNode {
+  additional class ExprCfgNode extends ControlFlowNode {
     ExprCfgNode() { isExpressionNode(this) }
   }
 
@@ -28,9 +25,7 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
     predicate isConstructor() { none() }
   }
 
-  Callable basicBlockGetEnclosingCallable(CfgImpl::BasicBlock bb) {
-    result = bb.getEnclosingCallable().asScope()
-  }
+  Callable basicBlockGetEnclosingCallable(Cfg::BasicBlock bb) { result = bb.getScope() }
 
   class CapturedVariable extends LocalVariable {
     Function f;
@@ -56,23 +51,21 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
   class CapturedParameter extends CapturedVariable {
     CapturedParameter() { this.isParameter() }
 
-    Cfg::ControlFlowNode getCfgNode() { result.getNode().(Parameter) = this.getAnAccess() }
+    ControlFlowNode getCfgNode() { result.getNode().(Parameter) = this.getAnAccess() }
   }
 
   class Expr extends ExprCfgNode {
-    predicate hasCfgNode(CfgImpl::BasicBlock bb, int i) { this = bb.getNode(i) }
+    predicate hasCfgNode(Cfg::BasicBlock bb, int i) { this = bb.getNode(i) }
   }
 
-  class VariableWrite extends Cfg::ControlFlowNode {
+  class VariableWrite extends ControlFlowNode {
     CapturedVariable v;
 
-    VariableWrite() {
-      exists(Cfg::DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue())
-    }
+    VariableWrite() { exists(DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue()) }
 
     CapturedVariable getVariable() { result = v }
 
-    predicate hasCfgNode(CfgImpl::BasicBlock bb, int i) { this = bb.getNode(i) }
+    predicate hasCfgNode(Cfg::BasicBlock bb, int i) { this = bb.getNode(i) }
   }
 
   class VariableRead extends Expr {
@@ -87,14 +80,9 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
     // TODO: Other languages have an extra case here looking like
     //   simpleAstFlowStep(nodeFrom, nodeTo)
     // we should investigate the potential benefit of adding that.
-    exists(SsaImpl::EssaVariable def |
+    exists(SsaVariable def |
       def.getAUse() = nodeTo and
-      def.getAnUltimateDefinition()
-          .getDefinition()
-          .(SsaImpl::EssaNodeDefinition)
-          .getDefiningNode()
-          .(Cfg::DefinitionNode)
-          .getValue() = nodeFrom
+      def.getAnUltimateDefinition().getDefinition().(DefinitionNode).getValue() = nodeFrom
     )
   }
 
@@ -119,7 +107,7 @@ class CapturedVariable = CaptureInput::CapturedVariable;
 
 class ClosureExpr = CaptureInput::ClosureExpr;
 
-module Flow = Shared::Flow<Location, Cfg::CfgSigImpl, CaptureInput>;
+module Flow = Shared::Flow<Location, Cfg, CaptureInput>;
 
 private Flow::ClosureNode asClosureNode(Node n) {
   result = n.(SynthCaptureNode).getSynthesizedCaptureNode()

python/ql/lib/semmle/python/frameworks/Bottle.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -158,9 +157,9 @@ module Bottle {
         DataFlow::Node value;
 
         HeaderWriteSubscript() {
-          exists(Cfg::SubscriptNode subscript |
+          exists(SubscriptNode subscript |
             this.asCfgNode() = subscript and
-            value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+            value.asCfgNode() = subscript.(DefinitionNode).getValue() and
             name.asCfgNode() = subscript.getIndex() and
             subscript.getObject() = headers().asSource().asCfgNode()
           )

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -1306,7 +1305,7 @@ module PrivateDjango {
                   dict.(DataFlow::MethodCallNode).calls(files, "dict")
                 )
               |
-                this.asCfgNode().(Cfg::SubscriptNode).getObject() = dict.asCfgNode()
+                this.asCfgNode().(SubscriptNode).getObject() = dict.asCfgNode()
                 or
                 this.(DataFlow::MethodCallNode).calls(dict, "get")
               )
@@ -1315,7 +1314,7 @@ module PrivateDjango {
               exists(DataFlow::AttrRead files, DataFlow::MethodCallNode getlistCall |
                 files.accesses(instance(), "FILES") and
                 getlistCall.calls(files, "getlist") and
-                this.asCfgNode().(Cfg::SubscriptNode).getObject() = getlistCall.asCfgNode()
+                this.asCfgNode().(SubscriptNode).getObject() = getlistCall.asCfgNode()
               )
             }
           }
@@ -2217,7 +2216,7 @@ module PrivateDjango {
           DataFlow::Node value;
 
           DjangoResponseCookieSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead cookieLookup |
+            exists(SubscriptNode subscript, DataFlow::AttrRead cookieLookup |
               // To give `this` a value, we need to choose between either LHS or RHS,
               // and just go with the LHS
               this.asCfgNode() = subscript
@@ -2229,7 +2228,7 @@ module PrivateDjango {
               |
                 cookieLookup.flowsTo(subscriptObj)
               ) and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
               index.asCfgNode() = subscript.getIndex()
             )
           }
@@ -2250,7 +2249,7 @@ module PrivateDjango {
           DataFlow::Node value;
 
           DjangoResponseHeaderSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead headerLookup |
+            exists(SubscriptNode subscript, DataFlow::AttrRead headerLookup |
               // To give `this` a value, we need to choose between either LHS or RHS,
               // and just go with the LHS
               this.asCfgNode() = subscript
@@ -2262,7 +2261,7 @@ module PrivateDjango {
               |
                 headerLookup.flowsTo(subscriptObj)
               ) and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
               index.asCfgNode() = subscript.getIndex()
             )
           }
@@ -2285,14 +2284,14 @@ module PrivateDjango {
           DataFlow::Node value;
 
           DjangoResponseSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript |
+            exists(SubscriptNode subscript |
               // To give `this` a value, we need to choose between either LHS or RHS,
               // and just go with the LHS
               this.asCfgNode() = subscript
             |
               subscript.getObject() =
                 DjangoImpl::DjangoHttp::Response::HttpResponse::instance().asCfgNode() and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
               index.asCfgNode() = subscript.getIndex()
             )
           }
@@ -2427,7 +2426,7 @@ module PrivateDjango {
     /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
     private DataFlow::TypeTrackingNode asViewResult(DataFlow::TypeTracker t) {
       t.start() and
-      result.asCfgNode().(Cfg::CallNode).getFunction() = this.asViewRef().asCfgNode()
+      result.asCfgNode().(CallNode).getFunction() = this.asViewRef().asCfgNode()
       or
       exists(DataFlow::TypeTracker t2 | result = this.asViewResult(t2).track(t2, t))
     }

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -442,7 +441,7 @@ module FastApi {
       DataFlow::Node value;
 
       HeaderSubscriptWrite() {
-        exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead headerLookup |
+        exists(SubscriptNode subscript, DataFlow::AttrRead headerLookup |
           // To give `this` a value, we need to choose between either LHS or RHS,
           // and just go with the LHS
           this.asCfgNode() = subscript
@@ -451,7 +450,7 @@ module FastApi {
           exists(DataFlow::Node subscriptObj | subscriptObj.asCfgNode() = subscript.getObject() |
             headerLookup.flowsTo(subscriptObj)
           ) and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
           index.asCfgNode() = subscript.getIndex()
         )
       }

python/ql/lib/semmle/python/frameworks/Gradio.qll

@@ -4,7 +4,6 @@
  */
 
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.ApiGraphs
@@ -52,9 +51,9 @@ module Gradio {
         // limit only to lists of parameters given to `inputs`.
         (
           (
-            call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode
+            call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
             or
-            call.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+            call.getParameter(1).asSink().asCfgNode() instanceof ListNode
           ) and
           (
             this = call.getKeywordParameter("inputs").getASubscript().getAValueReachingSink()
@@ -76,8 +75,8 @@ module Gradio {
       exists(GradioInput call |
         this = call.getParameter(0, "fn").getParameter(_).asSource() and
         // exclude lists of parameters given to `inputs`
-        not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode and
-        not call.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+        not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode and
+        not call.getParameter(1).asSink().asCfgNode() instanceof ListNode
       )
     }
 
@@ -106,16 +105,16 @@ module Gradio {
         // handle cases where there are multiple arguments passed as a list to `inputs`
         (
           (
-            node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode
+            node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
             or
-            node.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+            node.getParameter(1).asSink().asCfgNode() instanceof ListNode
           ) and
           exists(int i | nodeTo = node.getParameter(0, "fn").getParameter(i).asSource() |
             nodeFrom.asCfgNode() =
-              node.getKeywordParameter("inputs").asSink().asCfgNode().(Cfg::ListNode).getElement(i)
+              node.getKeywordParameter("inputs").asSink().asCfgNode().(ListNode).getElement(i)
             or
             nodeFrom.asCfgNode() =
-              node.getParameter(1).asSink().asCfgNode().(Cfg::ListNode).getElement(i)
+              node.getParameter(1).asSink().asCfgNode().(ListNode).getElement(i)
           )
         )
       )

python/ql/lib/semmle/python/frameworks/MarkupSafe.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -47,7 +46,7 @@ module MarkupSafeModel {
 
     /** A direct instantiation of `markupsafe.Markup`. */
     private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
-      override Cfg::CallNode node;
+      override CallNode node;
 
       ClassInstantiation() { this = classRef().getACall() }
     }
@@ -65,7 +64,7 @@ module MarkupSafeModel {
 
     /** A string concatenation with a `markupsafe.Markup` involved. */
     class StringConcat extends Markup::InstanceSource, DataFlow::CfgNode {
-      override Cfg::BinaryExprNode node;
+      override BinaryExprNode node;
 
       StringConcat() {
         node.getOp() instanceof Add and
@@ -80,7 +79,7 @@ module MarkupSafeModel {
 
     /** A %-style string format with `markupsafe.Markup` as the format string. */
     class PercentStringFormat extends Markup::InstanceSource, DataFlow::CfgNode {
-      override Cfg::BinaryExprNode node;
+      override BinaryExprNode node;
 
       PercentStringFormat() {
         node.getOp() instanceof Mod and

python/ql/lib/semmle/python/frameworks/Pycurl.qll

@@ -7,7 +7,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.data.ModelsAsData
@@ -57,7 +56,7 @@ module Pycurl {
     {
       OutgoingRequestCall() {
         this = setopt().getACall() and
-        this.getArg(0).asCfgNode().(Cfg::AttrNode).getName() = "URL"
+        this.getArg(0).asCfgNode().(AttrNode).getName() = "URL"
       }
 
       override DataFlow::Node getAUrlPart() {
@@ -82,7 +81,7 @@ module Pycurl {
     private class CurlSslCall extends Http::Client::Request::Range instanceof DataFlow::CallCfgNode {
       CurlSslCall() {
         this = setopt().getACall() and
-        this.getArg(0).asCfgNode().(Cfg::AttrNode).getName() = ["SSL_VERIFYPEER", "SSL_VERIFYHOST"]
+        this.getArg(0).asCfgNode().(AttrNode).getName() = ["SSL_VERIFYPEER", "SSL_VERIFYHOST"]
       }
 
       override DataFlow::Node getAUrlPart() { none() }

python/ql/lib/semmle/python/frameworks/Pydantic.qll

@@ -7,7 +7,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -94,7 +93,7 @@ module Pydantic {
       // be a Pydantic model. So `model[0]` will be an overapproximation, but should not
       // really cause problems (since we don't expect real code to contain such accesses)
       nodeFrom = instance() and
-      nodeTo.asCfgNode().(Cfg::SubscriptNode).getObject() = nodeFrom.asCfgNode()
+      nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
     }
 
     /**

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -6,7 +6,6 @@ overlay[local?]
 module;
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -1247,7 +1246,7 @@ module StdlibPrivate {
   /** An additional taint step for calls to `os.path.join` */
   private class OsPathJoinCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(Cfg::CallNode call |
+      exists(CallNode call |
         nodeTo.asCfgNode() = call and
         call = OS::OsPath::join().getACall().asCfgNode() and
         call.getAnArg() = nodeFrom.asCfgNode()
@@ -1318,13 +1317,13 @@ module StdlibPrivate {
           // run, so if we're able to, we only mark the first element as the command
           // (and not the arguments to the command).
           //
-          result.asCfgNode() = arg_args.asCfgNode().(Cfg::SequenceNode).getElement(0)
+          result.asCfgNode() = arg_args.asCfgNode().(SequenceNode).getElement(0)
           or
           // Either the "args" argument is not a sequence (which is valid) or we where
           // just not able to figure it out. Simply mark the "args" argument as the
           // command.
           //
-          not arg_args.asCfgNode() instanceof Cfg::SequenceNode and
+          not arg_args.asCfgNode() instanceof SequenceNode and
           result = arg_args
         )
       )
@@ -1543,7 +1542,7 @@ module StdlibPrivate {
    * See https://docs.python.org/3/library/functions.html#eval
    */
   private class BuiltinsEvalCall extends CodeExecution::Range, DataFlow::CallCfgNode {
-    override Cfg::CallNode node;
+    override CallNode node;
 
     BuiltinsEvalCall() { this = API::builtin("eval").getACall() }
 
@@ -1924,7 +1923,7 @@ module StdlibPrivate {
           nodeFrom = instance().getAValueReachableFromSource() and
           nodeTo = [getvalueRef(), getfirstRef(), getlistRef()].getAValueReachableFromSource()
           or
-          nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::CallNode).getFunction() and
+          nodeFrom.asCfgNode() = nodeTo.asCfgNode().(CallNode).getFunction() and
           (
             nodeFrom = getvalueRef().getAValueReachableFromSource() and
             nodeTo = getvalueResult().asSource()
@@ -1940,7 +1939,7 @@ module StdlibPrivate {
           nodeFrom in [
               instance().getAValueReachableFromSource(), fieldList().getAValueReachableFromSource()
             ] and
-          nodeTo.asCfgNode().(Cfg::SubscriptNode).getObject() = nodeFrom.asCfgNode()
+          nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
           or
           // Attributes on Field
           nodeFrom = field().getAValueReachableFromSource() and
@@ -2255,8 +2254,8 @@ module StdlibPrivate {
       DataFlow::CfgNode
     {
       WsgirefSimpleServerApplicationReturn() {
-        exists(Return ret |
-          ret.getScope() = any(WsgirefSimpleServerApplication requestHandler) and
+        exists(WsgirefSimpleServerApplication requestHandler, Return ret |
+          ret.getScope() = requestHandler and
           node.getNode() = ret.getValue()
         )
       }
@@ -2339,9 +2338,9 @@ module StdlibPrivate {
         DataFlow::Node value;
 
         HeaderWriteSubscript() {
-          exists(Cfg::SubscriptNode subscript |
+          exists(SubscriptNode subscript |
             this.asCfgNode() = subscript and
-            value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+            value.asCfgNode() = subscript.(DefinitionNode).getValue() and
             name.asCfgNode() = subscript.getIndex() and
             subscript.getObject() = instance().asCfgNode()
           )
@@ -2683,7 +2682,7 @@ module StdlibPrivate {
     or
     // Data injection
     //   Special handling of the `/` operator
-    exists(Cfg::BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
+    exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
       slash.getOp() instanceof Div and
       pathOperand.asCfgNode() = slash.getAnOperand() and
       pathlibPath(t2).flowsTo(pathOperand) and
@@ -2808,7 +2807,7 @@ module StdlibPrivate {
       pathlibPath().flowsTo(nodeTo) and
       (
         // Special handling of the `/` operator
-        exists(Cfg::BinaryExprNode slash, DataFlow::Node pathOperand |
+        exists(BinaryExprNode slash, DataFlow::Node pathOperand |
           slash.getOp() instanceof Div and
           pathOperand.asCfgNode() = slash.getAnOperand() and
           pathlibPath().flowsTo(pathOperand)
@@ -4606,9 +4605,9 @@ module StdlibPrivate {
     }
 
     override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      exists(Cfg::CallNode c, string name, Cfg::ControlFlowNode n, DataFlow::AttributeContent ac |
-        c.getFunction().(Cfg::NameNode).getId() = "replace" or
-        c.getFunction().(Cfg::AttrNode).getName() = "replace"
+      exists(CallNode c, string name, ControlFlowNode n, DataFlow::AttributeContent ac |
+        c.getFunction().(NameNode).getId() = "replace" or
+        c.getFunction().(AttrNode).getName() = "replace"
       |
         n = c.getArgByName(name) and
         ac.getAttribute() = name and
@@ -5172,10 +5171,10 @@ module StdlibPrivate {
  * See https://docs.python.org/3.9/library/stdtypes.html#str.startswith
  */
 private class StartswithCall extends Path::SafeAccessCheck::Range {
-  StartswithCall() { this.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getName() = "startswith" }
+  StartswithCall() { this.(CallNode).getFunction().(AttrNode).getName() = "startswith" }
 
-  override predicate checks(Cfg::ControlFlowNode node, boolean branch) {
-    node = this.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getObject() and
+  override predicate checks(ControlFlowNode node, boolean branch) {
+    node = this.(CallNode).getFunction().(AttrNode).getObject() and
     branch = true
   }
 }

python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll

@@ -8,7 +8,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.security.dataflow.UrlRedirectCustomizations
@@ -92,7 +91,7 @@ private module Urllib {
      * A read of the `netloc` attribute of a parsed URL as returned by `urllib.parse.urlparse`,
      * which is being checked in a way that is relevant for URL redirection vulnerabilities.
      */
-    private predicate netlocCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+    private predicate netlocCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
       exists(DataFlow::CallCfgNode urlParseCall, DataFlow::AttrRead netlocRead |
         urlParseCall = getUrlParseCall() and
         netlocRead = urlParseCall.getAnAttributeRead("netloc") and

python/ql/lib/semmle/python/frameworks/Tornado.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -73,9 +72,9 @@ module Tornado {
       DataFlow::Node value;
 
       TornadoHeaderSubscriptWrite() {
-        exists(Cfg::SubscriptNode subscript |
+        exists(SubscriptNode subscript |
           subscript.getObject() = instance().asCfgNode() and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
           index.asCfgNode() = subscript.getIndex() and
           this.asCfgNode() = subscript
         )
@@ -423,7 +422,7 @@ module Tornado {
             // be able to do something more structured for providing modeling of the members
             // of a container-object.
             exists(DataFlow::AttrRead files | files.accesses(instance(), "cookies") |
-              this.asCfgNode().(Cfg::SubscriptNode).getObject() = files.asCfgNode()
+              this.asCfgNode().(SubscriptNode).getObject() = files.asCfgNode()
               or
               this.(DataFlow::MethodCallNode).calls(files, "get")
             )
@@ -480,20 +479,20 @@ module Tornado {
   // routing
   // ---------------------------------------------------------------------------
   /** Gets a sequence that defines a number of route rules */
-  Cfg::SequenceNode routeSetupRuleList() {
-    exists(Cfg::CallNode call |
+  SequenceNode routeSetupRuleList() {
+    exists(CallNode call |
       call = any(TornadoModule::Web::Application::ClassInstantiation c).asCfgNode()
     |
       result in [call.getArg(0), call.getArgByName("handlers")]
     )
     or
-    exists(Cfg::CallNode call |
+    exists(CallNode call |
       call.getFunction() = TornadoModule::Web::Application::add_handlers().asCfgNode()
     |
       result in [call.getArg(1), call.getArgByName("host_handlers")]
     )
     or
-    result = routeSetupRuleList().getElement(_).(Cfg::TupleNode).getElement(1)
+    result = routeSetupRuleList().getElement(_).(TupleNode).getElement(1)
   }
 
   /** A tornado route setup. */
@@ -516,12 +515,12 @@ module Tornado {
 
   /** A route setup using a tuple. */
   private class TornadoTupleRouteSetup extends TornadoRouteSetup, DataFlow::CfgNode {
-    override Cfg::TupleNode node;
+    override TupleNode node;
 
     TornadoTupleRouteSetup() {
       node = routeSetupRuleList().getElement(_) and
       count(node.getElement(_)) = 2 and
-      not node.getElement(1) instanceof Cfg::SequenceNode
+      not node.getElement(1) instanceof SequenceNode
     }
 
     override DataFlow::Node getUrlPatternArg() { result.asCfgNode() = node.getElement(0) }

python/ql/lib/semmle/python/frameworks/Werkzeug.qll

@@ -6,7 +6,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.ApiGraphs
@@ -222,9 +221,9 @@ module Werkzeug {
       DataFlow::Node value;
 
       HeaderWriteSubscript() {
-        exists(Cfg::SubscriptNode subscript |
+        exists(SubscriptNode subscript |
           this.asCfgNode() = subscript and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
           name.asCfgNode() = subscript.getIndex() and
           subscript.getObject() = instance().asCfgNode()
         )

python/ql/lib/semmle/python/frameworks/Yaml.qll

@@ -8,7 +8,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
@@ -29,7 +28,7 @@ private module Yaml {
    * See https://pyyaml.org/wiki/PyYAMLDocumentation (you will have to scroll down).
    */
   private class YamlLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
-    override Cfg::CallNode node;
+    override CallNode node;
     string func_name;
 
     YamlLoadCall() {

python/ql/lib/semmle/python/frameworks/Yarl.qll

@@ -4,7 +4,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -112,7 +111,7 @@ module Yarl {
     }
 
     private predicate yarlUrlIsAbsoluteCall(
-      DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch
+      DataFlow::GuardNode g, ControlFlowNode node, boolean branch
     ) {
       exists(ClassInstantiation instance, DataFlow::MethodCallNode call |
         call.calls(instance, "is_absolute") and

python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll

@@ -11,7 +11,6 @@ private import semmle.python.dataflow.new.internal.ImportResolution
 private import semmle.python.ApiGraphs
 private import semmle.python.filters.Tests
 private import semmle.python.Module
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 // very much inspired by the draft at https://github.com/github/codeql/pull/5632
 module NotExposed {
@@ -207,7 +206,7 @@ module NotExposed {
     string relevantName, Location loc
   ) {
     loc = mod.getLocation() and
-    exists(API::Node relevantClass, Cfg::ControlFlowNode value |
+    exists(API::Node relevantClass, ControlFlowNode value |
       relevantClass = newOrExistingModeling(spec).getASubclass*() and
       ImportResolution::module_export(mod, relevantName, def) and
       value = relevantClass.getAValueReachableFromSource().asCfgNode() and

python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll

@@ -3,7 +3,6 @@
  */
 
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts as Concepts
 private import semmle.python.regex
@@ -79,7 +78,7 @@ private module FindRegexMode {
     t.start() and
     exists(API::Node flag | flag_name = canonical_name(flag) and result = flag.asSource())
     or
-    exists(Cfg::BinaryExprNode binop, DataFlow::Node operand |
+    exists(BinaryExprNode binop, DataFlow::Node operand |
       operand.getALocalSource() = re_flag_tracker(flag_name, t.continue()) and
       operand.asCfgNode() = binop.getAnOperand() and
       (binop.getOp() instanceof BitOr or binop.getOp() instanceof Add) and

python/ql/lib/semmle/python/security/dataflow/ExceptionInfo.qll

@@ -3,7 +3,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * INTERNAL: Do not use.
@@ -30,7 +29,7 @@ private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode
 private class CaughtException extends ExceptionInfo {
   CaughtException() {
     this.asExpr() = any(ExceptStmt s).getName() and
-    this.asCfgNode().(Cfg::NameNode).defines(_)
+    this.asCfgNode() = any(EssaNodeDefinition def).getDefiningNode()
   }
 }
 

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll

@@ -11,7 +11,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.data.internal.ApiGraphModels
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -96,7 +95,7 @@ module ServerSideRequestForgery {
   class StringConstructionAsFullUrlControlSanitizer extends FullUrlControlSanitizer {
     StringConstructionAsFullUrlControlSanitizer() {
       // string concat
-      exists(Cfg::BinaryExprNode add |
+      exists(BinaryExprNode add |
         add.getOp() instanceof Add and
         add.getRight() = this.asCfgNode() and
         not add.getLeft().getNode().(StringLiteral).getText().toLowerCase() in [
@@ -105,7 +104,7 @@ module ServerSideRequestForgery {
       )
       or
       // % formatting
-      exists(Cfg::BinaryExprNode fmt |
+      exists(BinaryExprNode fmt |
         fmt.getOp() instanceof Mod and
         fmt.getRight() = this.asCfgNode() and
         // detecting %-formatting is not super easy, so we simplify it to only handle
@@ -156,9 +155,7 @@ module ServerSideRequestForgery {
     }
   }
 
-  private predicate stringRestriction(
-    DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch
-  ) {
+  private predicate stringRestriction(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
     exists(DataFlow::MethodCallNode call, DataFlow::Node strNode |
       call.asCfgNode() = g and strNode.asCfgNode() = node
     |

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll

@@ -9,7 +9,6 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -140,8 +139,8 @@ module TarSlip {
    * where `<check_path>` is any function matching `"%path"`.
    * `info` is assumed to be a `TarInfo` instance.
    */
-  predicate tarFileInfoSanitizer(DataFlow::GuardNode g, Cfg::ControlFlowNode tarInfo, boolean branch) {
-    exists(Cfg::CallNode call, Cfg::AttrNode attr |
+  predicate tarFileInfoSanitizer(DataFlow::GuardNode g, ControlFlowNode tarInfo, boolean branch) {
+    exists(CallNode call, AttrNode attr |
       g = call and
       // We must test the name of the tar info object.
       attr = call.getAnArg() and
@@ -149,9 +148,9 @@ module TarSlip {
       attr.getObject() = tarInfo
     |
       // The assumption that any test that matches %path is a sanitizer might be too broad.
-      call.getAChild*().(Cfg::AttrNode).getName().matches("%path")
+      call.getAChild*().(AttrNode).getName().matches("%path")
       or
-      call.getAChild*().(Cfg::NameNode).getId().matches("%path")
+      call.getAChild*().(NameNode).getId().matches("%path")
     ) and
     branch = false
   }

python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll

@@ -5,7 +5,6 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
@@ -112,7 +111,7 @@ module UrlRedirect {
       // Url redirection is a problem only if the user controls the prefix of the URL.
       // TODO: This is a copy of the taint-sanitizer from the old points-to query, which doesn't
       // cover formatting.
-      exists(Cfg::BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
+      exists(BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
         string_concat.getRight() = this.asCfgNode()
       )
     }

python/ql/lib/utils/test/dataflow/MaximalFlowTest.qll

@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
 import FlowTest
@@ -24,7 +23,7 @@ import MakeTest<MakeTestSig<MaximalFlowTest>>
 module MaximalFlowsConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     exists(node.getLocation().getFile().getRelativePath()) and
-    not node.asCfgNode() instanceof Cfg::CallNode and
+    not node.asCfgNode() instanceof CallNode and
     not node.asCfgNode().getNode() instanceof Return and
     not node instanceof DataFlow::ParameterNode and
     not node instanceof DataFlow::PostUpdateNode and
@@ -35,9 +34,9 @@ module MaximalFlowsConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     exists(node.getLocation().getFile().getRelativePath()) and
-    not any(Cfg::CallNode c).getArg(_) = node.asCfgNode() and
+    not any(CallNode c).getArg(_) = node.asCfgNode() and
     not isArgumentNode(node, _, _) and
-    not node.asCfgNode().(Cfg::NameNode).getId().matches("SINK%") and
+    not node.asCfgNode().(NameNode).getId().matches("SINK%") and
     not DataFlow::localFlowStep(node, _)
   }
 }

python/ql/lib/utils/test/dataflow/NormalDataflowTest.qll

@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import utils.test.dataflow.FlowTest
 import utils.test.dataflow.testConfig
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -20,7 +19,7 @@ query predicate missingAnnotationOnSink(Location location, string error, string
     TestConfig::isSink(sink) and
     // note: we only care about `SINK` and not `SINK_F`, so we have to reconstruct manually.
     exists(DataFlow::CallCfgNode call |
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() = "SINK" and
+      call.getFunction().asCfgNode().(NameNode).getId() = "SINK" and
       (sink = call.getArg(_) or sink = call.getArgByName(_))
     ) and
     location = sink.getLocation() and

python/ql/lib/utils/test/dataflow/NormalTaintTrackingTest.qll

@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import utils.test.dataflow.FlowTest
 import utils.test.dataflow.testTaintConfig
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -19,7 +18,7 @@ query predicate missingAnnotationOnSink(Location location, string error, string
   exists(DataFlow::Node sink |
     exists(DataFlow::CallCfgNode call |
       // note: we only care about `SINK` and not `SINK_F`, so we have to reconstruct manually.
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() = "SINK" and
+      call.getFunction().asCfgNode().(NameNode).getId() = "SINK" and
       (sink = call.getArg(_) or sink = call.getArgByName(_))
     ) and
     location = sink.getLocation() and

python/ql/lib/utils/test/dataflow/RoutingTest.qll

@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 import utils.test.InlineExpectationsTest
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -50,7 +49,7 @@ private string fromValue(DataFlow::Node fromNode) {
 
 pragma[inline]
 private string fromFunc(DataFlow::ArgumentNode fromNode) {
-  result = fromNode.getCall().getNode().(Cfg::CallNode).getFunction().getNode().(Name).getId()
+  result = fromNode.getCall().getNode().(CallNode).getFunction().getNode().(Name).getId()
 }
 
 pragma[inline]

python/ql/lib/utils/test/dataflow/UnresolvedCalls.qll

@@ -1,16 +1,15 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.internal.PrintNode
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.python.ApiGraphs
 import utils.test.InlineExpectationsTest
 
 signature module UnresolvedCallExpectationsSig {
-  predicate unresolvedCall(Cfg::CallNode call);
+  predicate unresolvedCall(CallNode call);
 }
 
 module DefaultUnresolvedCallExpectations implements UnresolvedCallExpectationsSig {
-  predicate unresolvedCall(Cfg::CallNode call) {
+  predicate unresolvedCall(CallNode call) {
     not exists(DataFlowPrivate::DataFlowCall dfc |
       exists(dfc.getCallable()) and dfc.getNode() = call
     ) and
@@ -25,7 +24,7 @@ module MakeUnresolvedCallExpectations<UnresolvedCallExpectationsSig Impl> {
 
     predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(location.getFile().getRelativePath()) and
-      exists(Cfg::CallNode call | Impl::unresolvedCall(call) and call.injects(_) |
+      exists(CallNode call | Impl::unresolvedCall(call) |
         location = call.getLocation() and
         tag = "unresolved_call" and
         value = prettyExpr(call.getNode()) and

python/ql/lib/utils/test/dataflow/testConfig.qll

@@ -21,12 +21,11 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 
 module TestConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::CfgNode).getNode().(Cfg::NameNode).getId() = "SOURCE"
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
     or
     node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source"
     or
@@ -38,7 +37,7 @@ module TestConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     exists(DataFlow::CallCfgNode call |
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() in ["SINK", "SINK_F"] and
+      call.getFunction().asCfgNode().(NameNode).getId() in ["SINK", "SINK_F"] and
       (node = call.getArg(_) or node = call.getArgByName(_)) and
       not node = call.getArgByName("not_present_at_runtime")
     )

python/ql/lib/utils/test/dataflow/testTaintConfig.qll

@@ -21,13 +21,12 @@
  */
 
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
 module TestConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::CfgNode).getNode().(Cfg::NameNode).getId() = "SOURCE"
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
     or
     node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source"
     or
@@ -38,8 +37,8 @@ module TestConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) {
-    exists(Cfg::CallNode call |
-      call.getFunction().(Cfg::NameNode).getId() in ["SINK", "SINK_F"] and
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() in ["SINK", "SINK_F"] and
       node.(DataFlow::CfgNode).getNode() = call.getAnArg()
     )
   }

python/ql/src/Exceptions/UnguardedNextInGenerator.ql

@@ -12,8 +12,6 @@
 
 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.Flow as Flow
 
 API::Node iter() { result = API::builtin("iter") }
 
@@ -21,17 +19,17 @@ API::Node next() { result = API::builtin("next") }
 
 API::Node stopIteration() { result = API::builtin("StopIteration") }
 
-predicate call_to_iter(Flow::CallNode call, EssaVariable sequence) {
-  call.getNode() = iter().getACall().asCfgNode().(Cfg::CallNode).getNode() and
+predicate call_to_iter(CallNode call, EssaVariable sequence) {
+  call = iter().getACall().asCfgNode() and
   call.getArg(0) = sequence.getAUse()
 }
 
-predicate call_to_next(Flow::CallNode call, Flow::ControlFlowNode iter) {
-  call.getNode() = next().getACall().asCfgNode().(Cfg::CallNode).getNode() and
+predicate call_to_next(CallNode call, ControlFlowNode iter) {
+  call = next().getACall().asCfgNode() and
   call.getArg(0) = iter
 }
 
-predicate call_to_next_has_default(Flow::CallNode call) {
+predicate call_to_next_has_default(CallNode call) {
   exists(call.getArg(1)) or exists(call.getArgByName("default"))
 }
 
@@ -51,14 +49,14 @@ predicate iter_not_exhausted(EssaVariable iterator) {
   )
 }
 
-predicate stop_iteration_handled(Flow::CallNode call) {
+predicate stop_iteration_handled(CallNode call) {
   exists(Try t |
     t.containsInScope(call.getNode()) and
     t.getAHandler().getType() = stopIteration().getAValueReachableFromSource().asExpr()
   )
 }
 
-from Flow::CallNode call
+from CallNode call
 where
   call_to_next(call, _) and
   not call_to_next_has_default(call) and

python/ql/src/Expressions/UseofApply.ql

@@ -11,9 +11,8 @@
 
 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
-from Cfg::CallNode call
+from CallNode call
 where
   major_version() = 2 and
   call = API::builtin("apply").getACall().asCfgNode()

python/ql/src/Functions/SignatureOverriddenMethod.ql

@@ -15,7 +15,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.internal.DataFlowDispatch
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import codeql.util.Option
 
 /** Holds if `base` is overridden by `sub` */
@@ -144,7 +143,7 @@ predicate ignore(Function f) {
 
 /** Gets a function that `call` may resolve to. */
 Function resolveCall(Call call) {
-  exists(DataFlowCall dfc | call = dfc.getNode().(Cfg::CallNode).getNode() |
+  exists(DataFlowCall dfc | call = dfc.getNode().(CallNode).getNode() |
     result = viableCallable(dfc).(DataFlowFunction).getScope()
   )
 }

python/ql/src/Resources/FileNotAlwaysClosedQuery.qll

@@ -4,7 +4,6 @@ import python
 import semmle.python.dataflow.new.internal.DataFlowDispatch
 import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.internal.ReExposedInstance
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** A CFG node where a file is opened. */
 abstract class FileOpenSource extends DataFlow::CfgNode { }
@@ -82,14 +81,12 @@ abstract class FileClose extends DataFlow::CfgNode {
   }
 }
 
-private predicate bbSuccessor(Cfg::BasicBlock src, Cfg::BasicBlock sink) {
-  sink = src.getASuccessor()
-}
+private predicate bbSuccessor(BasicBlock src, BasicBlock sink) { sink = src.getASuccessor() }
 
-private predicate bbReachableStrict(Cfg::BasicBlock src, Cfg::BasicBlock sink) =
+private predicate bbReachableStrict(BasicBlock src, BasicBlock sink) =
   fastTC(bbSuccessor/2)(src, sink)
 
-private predicate bbReachableRefl(Cfg::BasicBlock src, Cfg::BasicBlock sink) {
+private predicate bbReachableRefl(BasicBlock src, BasicBlock sink) {
   bbReachableStrict(src, sink) or src = sink
 }
 

python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll

@@ -10,7 +10,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.python.dataflow.new.internal.TaintTrackingPrivate as TaintTrackingPrivate
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * An external API that is considered "safe" from a security perspective.
@@ -72,7 +71,7 @@ string apiNodeToStringRepr(API::Node node) {
   )
 }
 
-predicate resolvedCall(Cfg::CallNode call) {
+predicate resolvedCall(CallNode call) {
   DataFlowPrivate::resolveCall(call, _, _) or
   DataFlowPrivate::resolveClassCall(call, _)
 }

python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql

@@ -14,7 +14,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /*
  * Jinja 2 Docs:
@@ -37,8 +36,8 @@ private API::Node jinja2EnvironmentOrTemplate() {
 from API::CallNode call
 where
   call = jinja2EnvironmentOrTemplate().getACall() and
-  not exists(call.asCfgNode().(Cfg::CallNode).getNode().getStarargs()) and
-  not exists(call.asCfgNode().(Cfg::CallNode).getNode().getKwargs()) and
+  not exists(call.asCfgNode().(CallNode).getNode().getStarargs()) and
+  not exists(call.asCfgNode().(CallNode).getNode().getKwargs()) and
   (
     not exists(call.getArgByName("autoescape"))
     or

python/ql/src/Security/CWE-327/PyOpenSSL.qll

@@ -5,7 +5,6 @@
 
 private import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import TlsLibraryModel
 
 class PyOpenSslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
@@ -38,10 +37,10 @@ class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
 // This cannot be used to unrestrict,
 // see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
 class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
-  SetOptionsCall() { node.getFunction().(Cfg::AttrNode).getName() = "set_options" }
+  SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
 
   override DataFlow::CfgNode getContext() {
-    result.getNode() = node.getFunction().(Cfg::AttrNode).getObject()
+    result.getNode() = node.getFunction().(AttrNode).getObject()
   }
 
   override ProtocolVersion getRestriction() {

python/ql/src/Security/CWE-327/Ssl.qll

@@ -5,7 +5,6 @@
 
 private import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import TlsLibraryModel
 
 class SslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
@@ -54,7 +53,7 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
-    exists(AugAssign aa, Cfg::AttrNode attr, Expr flag |
+    exists(AugAssign aa, AttrNode attr, Expr flag |
       aa.getOperation().getOp() instanceof BitOr and
       aa.getTarget() = attr.getNode() and
       attr.getName() = "options" and
@@ -81,7 +80,7 @@ class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
   ProtocolVersion restriction;
 
   OptionsAugAndNot() {
-    exists(AugAssign aa, Cfg::AttrNode attr, Expr flag, UnaryExpr notFlag |
+    exists(AugAssign aa, AttrNode attr, Expr flag, UnaryExpr notFlag |
       aa.getOperation().getOp() instanceof BitAnd and
       aa.getTarget() = attr.getNode() and
       attr.getName() = "options" and

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -19,7 +19,6 @@ import semmle.python.filters.Tests
 private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowDispatch
 private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins
 private import semmle.python.frameworks.data.ModelsAsData
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 bindingset[char, fraction]
 predicate fewer_characters_than(StringLiteral str, string char, float fraction) {
@@ -49,7 +48,7 @@ predicate capitalized_word(StringLiteral str) { str.getText().regexpMatch("[A-Z]
 
 predicate format_string(StringLiteral str) { str.getText().matches("%{%}%") }
 
-predicate maybeCredential(Cfg::ControlFlowNode f) {
+predicate maybeCredential(ControlFlowNode f) {
   /* A string that is not too short and unlikely to be text or an identifier. */
   exists(StringLiteral str | str = f.getNode() |
     /* At least 10 characters */
@@ -97,7 +96,7 @@ class CredentialSink extends DataFlow::Node {
       or
       exists(Keyword k | k.getArg() = name and this.asCfgNode().getNode() = k.getValue())
       or
-      exists(Cfg::CompareNode cmp, Cfg::NameNode n | n.getId() = name |
+      exists(CompareNode cmp, NameNode n | n.getId() = name |
         cmp.operands(this.asCfgNode(), any(Eq eq), n)
         or
         cmp.operands(n, any(Eq eq), this.asCfgNode())

python/ql/src/Statements/ModificationOfLocals.ql

@@ -14,9 +14,8 @@
 import python
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
-predicate originIsLocals(Cfg::ControlFlowNode n) {
+predicate originIsLocals(ControlFlowNode n) {
   // Only consider the `locals()` dictionary within the scope that called `locals()`.
   // Once the dictionary is passed to another scope (e.g. as an argument or via an
   // instance attribute) it is just an ordinary mapping, and modifying it is both
@@ -29,19 +28,19 @@ predicate originIsLocals(Cfg::ControlFlowNode n) {
   )
 }
 
-predicate modification_of_locals(Cfg::ControlFlowNode f) {
-  originIsLocals(f.(Cfg::SubscriptNode).getObject()) and
+predicate modification_of_locals(ControlFlowNode f) {
+  originIsLocals(f.(SubscriptNode).getObject()) and
   (f.isStore() or f.isDelete())
   or
-  exists(string mname, Cfg::AttrNode attr |
-    attr = f.(Cfg::CallNode).getFunction() and
+  exists(string mname, AttrNode attr |
+    attr = f.(CallNode).getFunction() and
     originIsLocals(attr.getObject(mname))
   |
     mname in ["pop", "popitem", "update", "clear"]
   )
 }
 
-from AstNode a, Cfg::ControlFlowNode f
+from AstNode a, ControlFlowNode f
 where
   modification_of_locals(f) and
   a = f.getNode() and

python/ql/src/Statements/SideEffectInAssert.ql

@@ -14,7 +14,6 @@
 
 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 predicate func_with_side_effects(Expr e) {
   exists(string name | name = e.(Attribute).getName() or name = e.(Name).getId() |
@@ -25,7 +24,7 @@ predicate func_with_side_effects(Expr e) {
 }
 
 predicate call_with_side_effect(Call e) {
-  exists(Cfg::ControlFlowNode eCfg | eCfg.getNode() = e |
+  exists(ControlFlowNode eCfg | eCfg.getNode() = e |
     eCfg =
       API::moduleImport("subprocess")
           .getMember(["call", "check_call", "check_output"])

python/ql/src/Statements/UseOfExit.ql

@@ -13,9 +13,8 @@
 
 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
-from Cfg::CallNode call, string name
+from CallNode call, string name
 where
   name = ["exit", "quit"] and
   call = API::builtin(name).getACall().asCfgNode()

python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql

@@ -21,7 +21,6 @@ import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.internal.Attributes
 import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * Handle those three cases of Tarfile opens:
@@ -76,8 +75,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
         call = atfo.getReturn().getMember("extractall").getACall() and
         arg = call.getArgByName("members") and
         if
-          arg.asCfgNode() instanceof Cfg::NameConstantNode or
-          arg.asCfgNode() instanceof Cfg::ListNode
+          arg.asCfgNode() instanceof NameConstantNode or
+          arg.asCfgNode() instanceof ListNode
         then sink = call.getObject()
         else
           if arg.(MethodCallNode).getMethodName() = "getmembers"

python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql

@@ -16,7 +16,6 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.controlflow.internal.Cfg as Cfg
 
 class PredictableResultSource extends DataFlow::Node {
   PredictableResultSource() {
@@ -33,9 +32,7 @@ class PredictableResultSource extends DataFlow::Node {
 class TokenAssignmentValueSink extends DataFlow::Node {
   TokenAssignmentValueSink() {
     exists(string name | name.toLowerCase().matches(["%token", "%code"]) |
-      exists(Cfg::DefinitionNode n | n.getValue() = this.asCfgNode() |
-        name = n.(Cfg::NameNode).getId()
-      )
+      exists(DefinitionNode n | n.getValue() = this.asCfgNode() | name = n.(NameNode).getId())
       or
       exists(DataFlow::AttrWrite aw | aw.getValue() = this | name = aw.getAttributeName())
     )