Deprecate direct uses of RemoteFlowSource and replace with ThreatModelFlowSource

Author: egregius313

csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll

@@ -65,7 +65,7 @@ module ConditionalBypass = TaintTracking::Global<ConditionalBypassConfig>;
  *
  * A source of remote user input.
  */
-class RemoteSource extends Source instanceof RemoteFlowSource { }
+deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** A source supported by the current threat model. */
 class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql

@@ -13,7 +13,7 @@
  */
 
 import csharp
-import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 import semmle.code.csharp.commons.Util
 import AssemblyPathInjection::PathGraph
 
@@ -22,7 +22,7 @@ import AssemblyPathInjection::PathGraph
  */
 module AssemblyPathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource or
+    source instanceof ThreatModelFlowSource or
     source.asExpr() = any(MainMethod main).getParameter(0).getAnAccess()
   }
 

csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll

@@ -2,6 +2,7 @@ import csharp
 import semmle.code.csharp.frameworks.system.Net
 import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 import semmle.code.csharp.security.Sanitizers
 
 //If this leaves experimental this should probably go in semmle.code.csharp.frameworks.system.Net
@@ -68,8 +69,15 @@ private module TaintedWebClientConfig implements DataFlow::ConfigSig {
  */
 module TaintedWebClient = TaintTracking::Global<TaintedWebClientConfig>;
 
-/** A source of remote user input. */
-class RemoteSource extends Source instanceof RemoteFlowSource { }
+/**
+ * DEPRECATED: Use `ThreatModelSource` instead.
+ *
+ * A source of remote user input.
+ */
+deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
+
+/** A source supported by the current threat model. */
+class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 
 /**
  * A path argument to a `WebClient` method call that has an address argument.

csharp/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -6,6 +6,7 @@ module RequestForgery {
   import semmle.code.csharp.frameworks.system.Web
   import semmle.code.csharp.frameworks.Format
   import semmle.code.csharp.security.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
   /**
    * A data flow source for server side request forgery vulnerabilities.
@@ -91,10 +92,9 @@ module RequestForgery {
   module RequestForgeryFlow = DataFlow::Global<RequestForgeryFlowConfig>;
 
   /**
-   * A remote data flow source taken as a source
-   * for Server Side Request Forgery(SSRF) Vulnerabilities.
+   * A dataflow source for Server Side Request Forgery(SSRF) Vulnerabilities.
    */
-  private class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
+  private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 
   /**
    * An url argument to a `HttpRequestMessage` constructor call