diff --git a/python/CWE-078/CommandInjectionStatic.ql b/python/CWE-078/CommandInjectionAudit.ql
similarity index 86%
rename from python/CWE-078/CommandInjectionStatic.ql
rename to python/CWE-078/CommandInjectionAudit.ql
index 65664a4c20..0ab3bfd9c7 100644
--- a/python/CWE-078/CommandInjectionStatic.ql
+++ b/python/CWE-078/CommandInjectionAudit.ql
@@ -7,13 +7,11 @@
  * @security-severity 2.5
  * @sub-severity low
  * @precision very-low
- * @id py/command-line-injection-static
+ * @id py/audit/command-line-injection
  * @tags security
  *       external/cwe/cwe-078
  *       external/cwe/cwe-088
- *       external/owasp/owasp-a1
- *       experimental
- *       static
+ *       audit
  */
 
 import python
diff --git a/python/CWE-089/SqlInjectionHeuristic.ql b/python/CWE-089/SqlInjectionHeuristic.ql
index 6145e985a5..02e19d425b 100644
--- a/python/CWE-089/SqlInjectionHeuristic.ql
+++ b/python/CWE-089/SqlInjectionHeuristic.ql
@@ -9,7 +9,6 @@
  * @id py/sql-injection
  * @tags security
  *       external/cwe/cwe-089
- *       external/owasp/owasp-a1
  *       audit
  *       heuristic
  */
diff --git a/python/CWE-094/CodeInjectionStatic.ql b/python/CWE-094/CodeInjectionAudit.ql
similarity index 90%
rename from python/CWE-094/CodeInjectionStatic.ql
rename to python/CWE-094/CodeInjectionAudit.ql
index 8581b65d07..a853fb253a 100644
--- a/python/CWE-094/CodeInjectionStatic.ql
+++ b/python/CWE-094/CodeInjectionAudit.ql
@@ -7,14 +7,13 @@
  * @security-severity 2.5
  * @sub-severity low
  * @precision very-low
- * @id py/code-injection-static
+ * @id py/audit/code-injection
  * @tags security
  *       external/cwe/cwe-094
  *       external/cwe/cwe-095
  *       external/cwe/cwe-116
  *       external/owasp/owasp-a1
- *       experimental
- *       static
+ *       audit
  */
 
 import python
diff --git a/python/CWE-502/UnsafeDeserializationStatic.ql b/python/CWE-502/UnsafeDeserializationAudit.ql
similarity index 88%
rename from python/CWE-502/UnsafeDeserializationStatic.ql
rename to python/CWE-502/UnsafeDeserializationAudit.ql
index d621a18fd6..16a392e6ee 100644
--- a/python/CWE-502/UnsafeDeserializationStatic.ql
+++ b/python/CWE-502/UnsafeDeserializationAudit.ql
@@ -6,11 +6,10 @@
  * @security-severity 2.5
  * @sub-severity low
  * @precision very-low
- * @id py/unsafe-deserialization-static
+ * @id py/audit/unsafe-deserialization
  * @tags security
  *       external/cwe/cwe-502
- *       experimental
- *       static
+ *       audit
  */
 
 import python
diff --git a/python/README.md b/python/README.md
index 61876866c4..c877a6f84d 100644
--- a/python/README.md
+++ b/python/README.md
@@ -1,30 +1,45 @@
 # Python
 
+## Query Suites
+<!-- AUTOMATION-SUITES -->
+| Name | Queries Count | Description | Path |
+| :--- | :---- | :--- | :--- |
+| `default` | 38 | Default Query Suite | `codeql/python/ql/src/codeql-suites/code-scanning` |
+| `extended` | 45 | Security Extended Suite | `codeql/python/ql/src/codeql-suites/security-extended` |
+| `quality` | 167 | Security and Quality Extended Suite | `codeql/python/ql/src/codeql-suites/security-and-quality` |
+| `local-variants` | 49 | Security Extended with local variants enabled | `advanced-security/codeql-queries/python/suites/codeql-python-local.qls@main` |
+| `super-extended` | 73 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/python/suites/codeql-python.qls@main` |
+| `audit` | 4 | Security Audit Query Suite | `advanced-security/codeql-queries/python/suites/codeql-python-audit.qls@main` |
+
+
+<!-- AUTOMATION-SUITES -->
+
 ## Queries
 <!-- AUTOMATION-QUERIES -->
 | Name | Severity | Path |
 | :--- | :------- | :--- |
-| `Code injection` | Critical / 10.0 | `python/CWE-094/CodeInjectionLocal.ql` |
+| `Uncontrolled command line` | Critical / 10.0 | `python/CWE-078/CommandInjectionLocal.ql` |
 | `SQL query built from user-controlled sources` | Critical / 10.0 | `python/CWE-089/SqlInjectionLocal.ql` |
+| `Code injection` | Critical / 10.0 | `python/CWE-094/CodeInjectionLocal.ql` |
 | `Deserializing untrusted input` | High / 8.0 | `python/CWE-502/UnsafeDeserializationLocal.ql` |
-| `Uncontrolled command line` | Critical / 10.0 | `python/CWE-078/CommandInjectionLocal.ql` |
+| `Uncontrolled command line` | Low / 2.5 | `python/CWE-078/CommandInjectionAudit.ql` |
+| `SQL query built from user-controlled sources` | Unknown / 8.8 | `python/CWE-089/SqlInjectionHeuristic.ql` |
+| `Code injection` | Low / 2.5 | `python/CWE-094/CodeInjectionAudit.ql` |
+| `Python user-controlled format string` | Unknown / 1.0 | `python/CWE-133/format_string.ql` |
+| `Use of Cryptographically Weak HMAC Algorithm` | Medium / 5.0 | `python/CWE-327/WeakHMacAlgorithms.ql` |
 | `Use of a broken or weak cryptographic algorithm` | Medium / 5.0 | `python/CWE-327/WeakHashingAlgorithms.ql` |
+| `Use of Cryptographically Weak Pseudo-Random Number Generator` | Medium / 6.0 | `python/CWE-338/WeakPRNG.ql` |
+| `Deserializing untrusted input` | Low / 2.5 | `python/CWE-502/UnsafeDeserializationAudit.ql` |
+| `Deserializing XML from local file` | Unknown / 6.0 | `python/CWE-502/XMLLocalFileStatic.ql` |
+| `Deserializing XML from user-controlled filename` | Unknown / 6.0 | `python/CWE-502/XMLLocalFileTaint.ql` |
+| `Deserializing XML from user-controlled data` | Unknown / 6.0 | `python/CWE-502/XMLLocalStringTaint.ql` |
 | `Dangerous Functions` | Low / 2.5 | `python/CWE-676/DangerousFunctions.ql` |
 | `Insufficient Logging` | Low / 1.0 | `python/CWE-778/InsufficientLogging.ql` |
 | `Hard-coded credentials` | Medium / 5.9 | `python/CWE-798/HardcodedFrameworkSecrets.ql` |
-| `Use of Cryptographically Weak Pseudo-Random Number Generator` | Medium / 6.0 | `python/CWE-338/WeakPRNG.ql` |
+| `Mass assignment` | High / 8.0 | `python/CWE-915/MassAssignment.ql` |
+| `Mass assignment` | High / 2.0 | `python/CWE-915/MassAssignmentLocal.ql` |
+| `Partial Path Query from Sink` | Low / 1.0 | `python/debugging/PartialPathsFromSink.ql` |
+| `Partial Path Query from Source` | Low / 1.0 | `python/debugging/PartialPathsFromSource.ql` |
 
 
 <!-- AUTOMATION-QUERIES -->
-## Query Suites
-<!-- AUTOMATION-SUITES -->
-| Name | Queries Count | Description | Path |
-| :--- | :---- | :--- | :--- |
-| `default` | 30 | Default Query Suite | `code-scanning` |
-| `extended` | 35 | Security Extended Suite | `security-extended` |
-| `quality` | 157 | Security and Quality Extended Suite | `security-and-quality` |
-| `local-variants` | 39 | Security Extended with local variants enabled | `advanced-security/codeql-queries/python/suites/codeql-python-local.qls@main` |
-| `super-extended` | 52 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/python/suites/codeql-python.qls@main` |
-
-
-<!-- AUTOMATION-SUITES -->
diff --git a/python/queries.json b/python/queries.json
index ef4d970ab2..165f114ffc 100644
--- a/python/queries.json
+++ b/python/queries.json
@@ -1,325 +1,390 @@
 {
+  "audit": [
+    "python/CWE-078/CommandInjectionAudit.ql",
+    "python/CWE-089/SqlInjectionHeuristic.ql",
+    "python/CWE-094/CodeInjectionAudit.ql",
+    "python/CWE-502/UnsafeDeserializationAudit.ql"
+  ],
   "default": [
+    "codeql/python/ql/src/Expressions/UseofInput.ql",
+    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
+    "codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.ql",
+    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
+    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
+    "codeql/python/ql/src/Security/CWE-090/LdapInjection.ql",
     "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
+    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
     "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
-    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
+    "codeql/python/ql/src/Security/CWE-285/PamAuthorization.ql",
+    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
     "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
-    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
-    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
-    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
-    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql",
     "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
-    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
     "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
-    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
-    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-611/Xxe.ql",
+    "codeql/python/ql/src/Security/CWE-643/XpathInjection.ql",
     "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
-    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
-    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
-    "codeql/python/ql/src/Expressions/UseofInput.ql",
-    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
+    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
+    "codeql/python/ql/src/Security/CWE-776/XmlBomb.ql",
+    "codeql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql",
     "codeql/python/ql/src/Diagnostics/ExtractionWarnings.ql",
+    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
     "codeql/python/ql/src/Summary/LinesOfCode.ql",
     "codeql/python/ql/src/Summary/LinesOfUserCode.ql"
   ],
   "extended": [
+    "codeql/python/ql/src/Expressions/UseofInput.ql",
+    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
+    "codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.ql",
+    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
+    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
+    "codeql/python/ql/src/Security/CWE-090/LdapInjection.ql",
     "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
+    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
     "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
-    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
+    "codeql/python/ql/src/Security/CWE-285/PamAuthorization.ql",
+    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
     "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
-    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
-    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
-    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
-    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql",
     "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
-    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
     "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
-    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
-    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-611/Xxe.ql",
+    "codeql/python/ql/src/Security/CWE-643/XpathInjection.ql",
     "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
-    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
-    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
-    "codeql/python/ql/src/Expressions/UseofInput.ql",
-    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
-    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
-    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
+    "codeql/python/ql/src/Security/CWE-776/XmlBomb.ql",
+    "codeql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql",
     "codeql/python/ql/src/Security/CWE-022/TarSlip.ql",
     "codeql/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql",
-    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
+    "codeql/python/ql/src/Security/CWE-117/LogInjection.ql",
+    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
+    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
+    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql",
     "codeql/python/ql/src/Diagnostics/ExtractionWarnings.ql",
+    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
     "codeql/python/ql/src/Summary/LinesOfCode.ql",
     "codeql/python/ql/src/Summary/LinesOfUserCode.ql"
   ],
   "local-variants": [
+    "codeql/python/ql/src/Expressions/UseofInput.ql",
+    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
+    "codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.ql",
+    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
+    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
+    "codeql/python/ql/src/Security/CWE-090/LdapInjection.ql",
     "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
+    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
     "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
-    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
+    "codeql/python/ql/src/Security/CWE-285/PamAuthorization.ql",
+    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
     "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
-    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
-    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
-    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
-    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql",
     "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
-    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
     "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
-    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
-    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-611/Xxe.ql",
+    "codeql/python/ql/src/Security/CWE-643/XpathInjection.ql",
     "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
-    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
-    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
-    "codeql/python/ql/src/Expressions/UseofInput.ql",
-    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
-    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
-    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
+    "codeql/python/ql/src/Security/CWE-776/XmlBomb.ql",
+    "codeql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql",
     "codeql/python/ql/src/Security/CWE-022/TarSlip.ql",
     "codeql/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql",
-    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
+    "codeql/python/ql/src/Security/CWE-117/LogInjection.ql",
+    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
+    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
+    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql",
     "codeql/python/ql/src/Diagnostics/ExtractionWarnings.ql",
+    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
     "codeql/python/ql/src/Summary/LinesOfCode.ql",
     "codeql/python/ql/src/Summary/LinesOfUserCode.ql",
-    "python/CWE-094/CodeInjectionLocal.ql",
+    "python/CWE-078/CommandInjectionLocal.ql",
     "python/CWE-089/SqlInjectionLocal.ql",
-    "python/CWE-502/UnsafeDeserializationLocal.ql",
-    "python/CWE-078/CommandInjectionLocal.ql"
+    "python/CWE-094/CodeInjectionLocal.ql",
+    "python/CWE-502/UnsafeDeserializationLocal.ql"
   ],
   "quality": [
-    "codeql/python/ql/src/Lexical/OldOctalLiteral.ql",
-    "codeql/python/ql/src/Lexical/CommentedOutCode.ql",
-    "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
-    "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
-    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
-    "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
-    "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
-    "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
-    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
-    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
-    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
-    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
-    "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
-    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
-    "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
-    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
-    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
-    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
-    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql",
     "codeql/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql",
-    "codeql/python/ql/src/Classes/MissingCallToInit.ql",
+    "codeql/python/ql/src/Classes/EqualsOrHash.ql",
     "codeql/python/ql/src/Classes/EqualsOrNotEquals.ql",
+    "codeql/python/ql/src/Classes/IncompleteOrdering.ql",
     "codeql/python/ql/src/Classes/InconsistentMRO.ql",
-    "codeql/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql",
-    "codeql/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql",
-    "codeql/python/ql/src/Classes/WrongNameForArgumentInClassInstantiation.ql",
+    "codeql/python/ql/src/Classes/InitCallsSubclassMethod.ql",
+    "codeql/python/ql/src/Classes/MissingCallToDel.ql",
+    "codeql/python/ql/src/Classes/MissingCallToInit.ql",
+    "codeql/python/ql/src/Classes/MutatingDescriptor.ql",
+    "codeql/python/ql/src/Classes/PropertyInOldStyleClass.ql",
+    "codeql/python/ql/src/Classes/SlotsInOldStyleClass.ql",
     "codeql/python/ql/src/Classes/SubclassShadowing.ql",
     "codeql/python/ql/src/Classes/SuperInOldStyleClass.ql",
+    "codeql/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql",
     "codeql/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql",
-    "codeql/python/ql/src/Classes/MutatingDescriptor.ql",
+    "codeql/python/ql/src/Classes/WrongNameForArgumentInClassInstantiation.ql",
     "codeql/python/ql/src/Classes/WrongNumberArgumentsInClassInstantiation.ql",
-    "codeql/python/ql/src/Classes/InitCallsSubclassMethod.ql",
-    "codeql/python/ql/src/Classes/MissingCallToDel.ql",
-    "codeql/python/ql/src/Classes/IncompleteOrdering.ql",
-    "codeql/python/ql/src/Classes/SlotsInOldStyleClass.ql",
-    "codeql/python/ql/src/Classes/EqualsOrHash.ql",
-    "codeql/python/ql/src/Classes/PropertyInOldStyleClass.ql",
-    "codeql/python/ql/src/Imports/MultipleImports.ql",
-    "codeql/python/ql/src/Imports/UnusedImport.ql",
-    "codeql/python/ql/src/Imports/CyclicImport.ql",
-    "codeql/python/ql/src/Imports/ModuleImportsItself.ql",
-    "codeql/python/ql/src/Imports/ModuleLevelCyclicImport.ql",
-    "codeql/python/ql/src/Imports/ImportandImportFrom.ql",
-    "codeql/python/ql/src/Imports/UnintentionalImport.ql",
-    "codeql/python/ql/src/Imports/SyntaxError.ql",
-    "codeql/python/ql/src/Imports/DeprecatedModule.ql",
-    "codeql/python/ql/src/Imports/EncodingError.ql",
     "codeql/python/ql/src/Exceptions/CatchingBaseException.ql",
     "codeql/python/ql/src/Exceptions/EmptyExcept.ql",
-    "codeql/python/ql/src/Exceptions/RaisingTuple.ql",
-    "codeql/python/ql/src/Exceptions/NotImplementedIsNotAnException.ql",
-    "codeql/python/ql/src/Exceptions/IncorrectExceptOrder.ql",
     "codeql/python/ql/src/Exceptions/IllegalExceptionHandlerType.ql",
     "codeql/python/ql/src/Exceptions/IllegalRaise.ql",
+    "codeql/python/ql/src/Exceptions/IncorrectExceptOrder.ql",
+    "codeql/python/ql/src/Exceptions/NotImplementedIsNotAnException.ql",
+    "codeql/python/ql/src/Exceptions/RaisingTuple.ql",
     "codeql/python/ql/src/Exceptions/UnguardedNextInGenerator.ql",
-    "codeql/python/ql/src/Testing/ImpreciseAssert.ql",
-    "codeql/python/ql/src/Statements/UnreachableCode.ql",
-    "codeql/python/ql/src/Statements/AssertOnTuple.ql",
-    "codeql/python/ql/src/Statements/RedundantAssignment.ql",
-    "codeql/python/ql/src/Statements/ModificationOfLocals.ql",
-    "codeql/python/ql/src/Statements/UnnecessaryElseClause.ql",
-    "codeql/python/ql/src/Statements/MismatchInMultipleAssignment.ql",
-    "codeql/python/ql/src/Statements/IterableStringOrSequence.ql",
-    "codeql/python/ql/src/Statements/UnusedExceptionObject.ql",
-    "codeql/python/ql/src/Statements/ShouldUseWithStatement.ql",
-    "codeql/python/ql/src/Statements/NestedLoopsSameVariableWithReuse.ql",
-    "codeql/python/ql/src/Statements/UseOfExit.ql",
-    "codeql/python/ql/src/Statements/TopLevelPrint.ql",
-    "codeql/python/ql/src/Statements/UnnecessaryDelete.ql",
-    "codeql/python/ql/src/Statements/StatementNoEffect.ql",
-    "codeql/python/ql/src/Statements/ConstantInConditional.ql",
-    "codeql/python/ql/src/Statements/NonIteratorInForLoop.ql",
-    "codeql/python/ql/src/Statements/SideEffectInAssert.ql",
-    "codeql/python/ql/src/Statements/UnnecessaryPass.ql",
-    "codeql/python/ql/src/Statements/NestedLoopsSameVariable.ql",
-    "codeql/python/ql/src/Variables/MultiplyDefined.ql",
-    "codeql/python/ql/src/Variables/UnusedModuleVariable.ql",
-    "codeql/python/ql/src/Variables/UndefinedExport.ql",
-    "codeql/python/ql/src/Variables/GlobalAtModuleLevel.ql",
-    "codeql/python/ql/src/Variables/LeakingListComprehension.ql",
-    "codeql/python/ql/src/Variables/LoopVariableCapture.ql",
-    "codeql/python/ql/src/Variables/SuspiciousUnusedLoopIterationVariable.ql",
-    "codeql/python/ql/src/Variables/UnusedLocalVariable.ql",
-    "codeql/python/ql/src/Expressions/ExplicitCallToDel.ql",
-    "codeql/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql",
-    "codeql/python/ql/src/Expressions/EqualsNone.ql",
-    "codeql/python/ql/src/Expressions/UseofApply.ql",
+    "codeql/python/ql/src/Expressions/CallToSuperWrongClass.ql",
+    "codeql/python/ql/src/Expressions/CompareConstants.ql",
+    "codeql/python/ql/src/Expressions/CompareIdenticalValues.ql",
+    "codeql/python/ql/src/Expressions/CompareIdenticalValuesMissingSelf.ql",
     "codeql/python/ql/src/Expressions/Comparisons/UselessComparisonTest.ql",
-    "codeql/python/ql/src/Expressions/UnsupportedFormatCharacter.ql",
-    "codeql/python/ql/src/Expressions/WrongNameForArgumentInCall.ql",
     "codeql/python/ql/src/Expressions/ContainsNonContainer.ql",
-    "codeql/python/ql/src/Expressions/WrongNumberArgumentsInCall.ql",
+    "codeql/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql",
+    "codeql/python/ql/src/Expressions/EqualsNone.ql",
     "codeql/python/ql/src/Expressions/ExpectedMappingForFormatString.ql",
-    "codeql/python/ql/src/Expressions/UseofInput.ql",
-    "codeql/python/ql/src/Expressions/Regex/UnmatchableDollar.ql",
-    "codeql/python/ql/src/Expressions/Regex/DuplicateCharacterInSet.ql",
-    "codeql/python/ql/src/Expressions/Regex/MissingPartSpecialGroup.ql",
-    "codeql/python/ql/src/Expressions/Regex/UnmatchableCaret.ql",
-    "codeql/python/ql/src/Expressions/Regex/BackspaceEscape.ql",
-    "codeql/python/ql/src/Expressions/CallToSuperWrongClass.ql",
-    "codeql/python/ql/src/Expressions/CompareConstants.ql",
-    "codeql/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql",
-    "codeql/python/ql/src/Expressions/Formatting/UnusedNamedArgumentIn3101Format.ql",
-    "codeql/python/ql/src/Expressions/Formatting/WrongNameInArgumentsFor3101Format.ql",
+    "codeql/python/ql/src/Expressions/ExplicitCallToDel.ql",
     "codeql/python/ql/src/Expressions/Formatting/MixedExplicitImplicitIn3101Format.ql",
     "codeql/python/ql/src/Expressions/Formatting/UnusedArgumentIn3101Format.ql",
+    "codeql/python/ql/src/Expressions/Formatting/UnusedNamedArgumentIn3101Format.ql",
+    "codeql/python/ql/src/Expressions/Formatting/WrongNameInArgumentsFor3101Format.ql",
     "codeql/python/ql/src/Expressions/Formatting/WrongNumberArgumentsFor3101Format.ql",
+    "codeql/python/ql/src/Expressions/HashedButNoHash.ql",
+    "codeql/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql",
     "codeql/python/ql/src/Expressions/NonCallableCalled.ql",
+    "codeql/python/ql/src/Expressions/Regex/BackspaceEscape.ql",
+    "codeql/python/ql/src/Expressions/Regex/DuplicateCharacterInSet.ql",
+    "codeql/python/ql/src/Expressions/Regex/MissingPartSpecialGroup.ql",
+    "codeql/python/ql/src/Expressions/Regex/UnmatchableCaret.ql",
+    "codeql/python/ql/src/Expressions/Regex/UnmatchableDollar.ql",
     "codeql/python/ql/src/Expressions/TruncatedDivision.ql",
-    "codeql/python/ql/src/Expressions/HashedButNoHash.ql",
-    "codeql/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql",
-    "codeql/python/ql/src/Expressions/UnnecessaryLambda.ql",
-    "codeql/python/ql/src/Expressions/CompareIdenticalValues.ql",
     "codeql/python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql",
-    "codeql/python/ql/src/Expressions/CompareIdenticalValuesMissingSelf.ql",
-    "codeql/python/ql/src/Functions/NonCls.ql",
-    "codeql/python/ql/src/Functions/IterReturnsNonIterator.ql",
-    "codeql/python/ql/src/Functions/OverlyComplexDelMethod.ql",
-    "codeql/python/ql/src/Functions/NonSelf.ql",
-    "codeql/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql",
-    "codeql/python/ql/src/Functions/IncorrectlySpecifiedOverriddenMethod.ql",
-    "codeql/python/ql/src/Functions/IncorrectlyOverriddenMethod.ql",
-    "codeql/python/ql/src/Functions/UseImplicitNoneReturnValue.ql",
+    "codeql/python/ql/src/Expressions/UnnecessaryLambda.ql",
+    "codeql/python/ql/src/Expressions/UnsupportedFormatCharacter.ql",
+    "codeql/python/ql/src/Expressions/UseofApply.ql",
+    "codeql/python/ql/src/Expressions/UseofInput.ql",
+    "codeql/python/ql/src/Expressions/WrongNameForArgumentInCall.ql",
+    "codeql/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql",
+    "codeql/python/ql/src/Expressions/WrongNumberArgumentsInCall.ql",
     "codeql/python/ql/src/Functions/ConsistentReturns.ql",
+    "codeql/python/ql/src/Functions/DeprecatedSliceMethod.ql",
     "codeql/python/ql/src/Functions/ExplicitReturnInInit.ql",
-    "codeql/python/ql/src/Functions/ReturnConsistentTupleSizes.ql",
-    "codeql/python/ql/src/Functions/ModificationOfParameterWithDefault.ql",
+    "codeql/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql",
+    "codeql/python/ql/src/Functions/IncorrectlyOverriddenMethod.ql",
+    "codeql/python/ql/src/Functions/IncorrectlySpecifiedOverriddenMethod.ql",
     "codeql/python/ql/src/Functions/InitIsGenerator.ql",
-    "codeql/python/ql/src/Functions/SignatureOverriddenMethod.ql",
-    "codeql/python/ql/src/Functions/DeprecatedSliceMethod.ql",
+    "codeql/python/ql/src/Functions/IterReturnsNonIterator.ql",
     "codeql/python/ql/src/Functions/IterReturnsNonSelf.ql",
+    "codeql/python/ql/src/Functions/ModificationOfParameterWithDefault.ql",
+    "codeql/python/ql/src/Functions/NonCls.ql",
+    "codeql/python/ql/src/Functions/NonSelf.ql",
+    "codeql/python/ql/src/Functions/OverlyComplexDelMethod.ql",
+    "codeql/python/ql/src/Functions/ReturnConsistentTupleSizes.ql",
+    "codeql/python/ql/src/Functions/SignatureOverriddenMethod.ql",
     "codeql/python/ql/src/Functions/SignatureSpecialMethods.ql",
-    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
-    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
-    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
-    "codeql/python/ql/src/Security/CWE-022/TarSlip.ql",
-    "codeql/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql",
+    "codeql/python/ql/src/Functions/UseImplicitNoneReturnValue.ql",
+    "codeql/python/ql/src/Imports/CyclicImport.ql",
+    "codeql/python/ql/src/Imports/DeprecatedModule.ql",
+    "codeql/python/ql/src/Imports/EncodingError.ql",
+    "codeql/python/ql/src/Imports/ImportandImportFrom.ql",
+    "codeql/python/ql/src/Imports/ModuleImportsItself.ql",
+    "codeql/python/ql/src/Imports/ModuleLevelCyclicImport.ql",
+    "codeql/python/ql/src/Imports/MultipleImports.ql",
+    "codeql/python/ql/src/Imports/SyntaxError.ql",
+    "codeql/python/ql/src/Imports/UnintentionalImport.ql",
+    "codeql/python/ql/src/Imports/UnusedImport.ql",
+    "codeql/python/ql/src/Lexical/CommentedOutCode.ql",
+    "codeql/python/ql/src/Lexical/OldOctalLiteral.ql",
+    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
+    "codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.ql",
+    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
+    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
+    "codeql/python/ql/src/Security/CWE-090/LdapInjection.ql",
+    "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
+    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
+    "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
+    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
+    "codeql/python/ql/src/Security/CWE-285/PamAuthorization.ql",
+    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
+    "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
+    "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
+    "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
+    "codeql/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql",
+    "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
+    "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
+    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-611/Xxe.ql",
+    "codeql/python/ql/src/Security/CWE-643/XpathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
+    "codeql/python/ql/src/Security/CWE-776/XmlBomb.ql",
+    "codeql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql",
+    "codeql/python/ql/src/Statements/AssertOnTuple.ql",
+    "codeql/python/ql/src/Statements/ConstantInConditional.ql",
+    "codeql/python/ql/src/Statements/IterableStringOrSequence.ql",
+    "codeql/python/ql/src/Statements/MismatchInMultipleAssignment.ql",
+    "codeql/python/ql/src/Statements/ModificationOfLocals.ql",
+    "codeql/python/ql/src/Statements/NestedLoopsSameVariable.ql",
+    "codeql/python/ql/src/Statements/NestedLoopsSameVariableWithReuse.ql",
+    "codeql/python/ql/src/Statements/NonIteratorInForLoop.ql",
+    "codeql/python/ql/src/Statements/RedundantAssignment.ql",
+    "codeql/python/ql/src/Statements/ShouldUseWithStatement.ql",
+    "codeql/python/ql/src/Statements/SideEffectInAssert.ql",
+    "codeql/python/ql/src/Statements/StatementNoEffect.ql",
+    "codeql/python/ql/src/Statements/TopLevelPrint.ql",
+    "codeql/python/ql/src/Statements/UnnecessaryDelete.ql",
+    "codeql/python/ql/src/Statements/UnnecessaryElseClause.ql",
+    "codeql/python/ql/src/Statements/UnnecessaryPass.ql",
+    "codeql/python/ql/src/Statements/UnreachableCode.ql",
+    "codeql/python/ql/src/Statements/UnusedExceptionObject.ql",
+    "codeql/python/ql/src/Statements/UseOfExit.ql",
+    "codeql/python/ql/src/Testing/ImpreciseAssert.ql",
+    "codeql/python/ql/src/Variables/GlobalAtModuleLevel.ql",
+    "codeql/python/ql/src/Variables/LeakingListComprehension.ql",
+    "codeql/python/ql/src/Variables/LoopVariableCapture.ql",
+    "codeql/python/ql/src/Variables/MultiplyDefined.ql",
+    "codeql/python/ql/src/Variables/SuspiciousUnusedLoopIterationVariable.ql",
+    "codeql/python/ql/src/Variables/UndefinedExport.ql",
+    "codeql/python/ql/src/Variables/UnusedLocalVariable.ql",
+    "codeql/python/ql/src/Variables/UnusedModuleVariable.ql",
     "codeql/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql",
-    "codeql/python/ql/src/Resources/FileNotAlwaysClosed.ql",
     "codeql/python/ql/src/Imports/FromImportOfMutableAttribute.ql",
     "codeql/python/ql/src/Numerics/Pythagorean.ql",
-    "codeql/python/ql/src/Statements/ReturnOrYieldOutsideFunction.ql",
+    "codeql/python/ql/src/Resources/FileNotAlwaysClosed.ql",
+    "codeql/python/ql/src/Security/CWE-022/TarSlip.ql",
+    "codeql/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql",
+    "codeql/python/ql/src/Security/CWE-117/LogInjection.ql",
+    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
+    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
+    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql",
     "codeql/python/ql/src/Statements/BreakOrReturnInFinally.ql",
-    "codeql/python/ql/src/Variables/UninitializedLocal.ql",
+    "codeql/python/ql/src/Statements/ReturnOrYieldOutsideFunction.ql",
     "codeql/python/ql/src/Variables/UndefinedPlaceHolder.ql",
-    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
+    "codeql/python/ql/src/Variables/UninitializedLocal.ql",
     "codeql/python/ql/src/Diagnostics/ExtractionWarnings.ql",
+    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
     "codeql/python/ql/src/Summary/LinesOfCode.ql",
     "codeql/python/ql/src/Summary/LinesOfUserCode.ql"
   ],
   "super-extended": [
+    "python/CWE-078/CommandInjectionAudit.ql",
+    "python/CWE-078/CommandInjectionLocal.ql",
+    "python/CWE-089/SqlInjectionHeuristic.ql",
+    "python/CWE-089/SqlInjectionLocal.ql",
+    "python/CWE-094/CodeInjectionAudit.ql",
     "python/CWE-094/CodeInjectionLocal.ql",
+    "python/CWE-133/format_string.ql",
+    "python/CWE-327/WeakHMacAlgorithms.ql",
     "python/CWE-327/WeakHashingAlgorithms.ql",
-    "python/CWE-089/SqlInjectionLocal.ql",
+    "python/CWE-338/WeakPRNG.ql",
+    "python/CWE-502/UnsafeDeserializationAudit.ql",
+    "python/CWE-502/UnsafeDeserializationLocal.ql",
+    "python/CWE-502/XMLLocalFileStatic.ql",
+    "python/CWE-502/XMLLocalFileTaint.ql",
+    "python/CWE-502/XMLLocalStringTaint.ql",
     "python/CWE-676/DangerousFunctions.ql",
     "python/CWE-778/InsufficientLogging.ql",
     "python/CWE-798/HardcodedFrameworkSecrets.ql",
-    "python/CWE-338/WeakPRNG.ql",
-    "python/CWE-502/UnsafeDeserializationLocal.ql",
-    "python/CWE-078/CommandInjectionLocal.ql",
+    "python/CWE-915/MassAssignment.ql",
+    "python/CWE-915/MassAssignmentLocal.ql",
+    "python/debugging/PartialPathsFromSink.ql",
+    "python/debugging/PartialPathsFromSource.ql",
+    "codeql/python/ql/src/Expressions/UseofInput.ql",
+    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
+    "codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.ql",
+    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
+    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
+    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
+    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
+    "codeql/python/ql/src/Security/CWE-090/LdapInjection.ql",
     "codeql/python/ql/src/Security/CWE-094/CodeInjection.ql",
+    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
     "codeql/python/ql/src/Security/CWE-209/StackTraceExposure.ql",
-    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
+    "codeql/python/ql/src/Security/CWE-285/PamAuthorization.ql",
+    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
+    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
     "codeql/python/ql/src/Security/CWE-326/WeakCryptoKey.ql",
-    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql",
+    "codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/InsecureProtocol.ql",
     "codeql/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql",
-    "codeql/python/ql/src/Security/CWE-089/SqlInjection.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
-    "codeql/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql",
-    "codeql/python/ql/src/Security/CWE-215/FlaskDebug.ql",
-    "codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql",
-    "codeql/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql",
+    "codeql/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql",
     "codeql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql",
-    "codeql/python/ql/src/Security/CWE-116/BadTagFilter.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextStorage.ql",
-    "codeql/python/ql/src/Security/CWE-312/CleartextLogging.ql",
     "codeql/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql",
-    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
-    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-601/UrlRedirect.ql",
+    "codeql/python/ql/src/Security/CWE-611/Xxe.ql",
+    "codeql/python/ql/src/Security/CWE-643/XpathInjection.ql",
     "codeql/python/ql/src/Security/CWE-730/PolynomialReDoS.ql",
-    "codeql/python/ql/src/Security/CWE-022/PathInjection.ql",
-    "codeql/python/ql/src/Security/CWE-078/CommandInjection.ql",
-    "codeql/python/ql/src/Security/CWE-079/ReflectedXss.ql",
-    "codeql/python/ql/src/Expressions/UseofInput.ql",
-    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
-    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
-    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-730/ReDoS.ql",
+    "codeql/python/ql/src/Security/CWE-730/RegexInjection.ql",
+    "codeql/python/ql/src/Security/CWE-776/XmlBomb.ql",
+    "codeql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql",
     "codeql/python/ql/src/Security/CWE-022/TarSlip.ql",
     "codeql/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql",
-    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
+    "codeql/python/ql/src/Security/CWE-117/LogInjection.ql",
+    "codeql/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql",
+    "codeql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql",
+    "codeql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+    "codeql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql",
     "codeql/python/ql/src/Diagnostics/ExtractionWarnings.ql",
+    "codeql/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql",
     "codeql/python/ql/src/Summary/LinesOfCode.ql",
     "codeql/python/ql/src/Summary/LinesOfUserCode.ql",
-    "codeql/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql",
-    "codeql/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql",
     "codeql/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql",
-    "codeql/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql",
     "codeql/python/ql/src/experimental/Security/CWE-091/Xslt.ql",
+    "codeql/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql",
     "codeql/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql",
-    "codeql/python/ql/src/experimental/Security/CWE-643/XpathInjection.ql",
-    "codeql/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql"
+    "codeql/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql",
+    "codeql/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql"
   ]
 }
\ No newline at end of file
diff --git a/python/suites/codeql-python-audit.qls b/python/suites/codeql-python-audit.qls
new file mode 100644
index 0000000000..44ba8fb328
--- /dev/null
+++ b/python/suites/codeql-python-audit.qls
@@ -0,0 +1,15 @@
+# This is the field security specialist audit pack
+
+- description: "Python Audit Pack"
+
+# Field query pack with some audit queries
+- qlpack: github-queries-python
+
+- include:
+    kind:
+    - problem
+    - path-problem
+    - metric
+    - diagnostic
+    tags contain:
+    - audit
diff --git a/tests/python-tests/CWE-502/static/UnsafeDeserializationStatic.expected b/tests/python-tests/CWE-502/audit/UnsafeDeserializationAudit.expected
similarity index 100%
rename from tests/python-tests/CWE-502/static/UnsafeDeserializationStatic.expected
rename to tests/python-tests/CWE-502/audit/UnsafeDeserializationAudit.expected
diff --git a/tests/python-tests/CWE-502/audit/UnsafeDeserializationAudit.qlref b/tests/python-tests/CWE-502/audit/UnsafeDeserializationAudit.qlref
new file mode 100644
index 0000000000..e6d3a93d2c
--- /dev/null
+++ b/tests/python-tests/CWE-502/audit/UnsafeDeserializationAudit.qlref
@@ -0,0 +1 @@
+CWE-502/UnsafeDeserializationAudit.ql
\ No newline at end of file
diff --git a/tests/python-tests/CWE-502/static/unsafe.py b/tests/python-tests/CWE-502/audit/unsafe.py
similarity index 100%
rename from tests/python-tests/CWE-502/static/unsafe.py
rename to tests/python-tests/CWE-502/audit/unsafe.py
diff --git a/tests/python-tests/CWE-502/static/UnsafeDeserializationStatic.qlref b/tests/python-tests/CWE-502/static/UnsafeDeserializationStatic.qlref
deleted file mode 100644
index 0025d51c74..0000000000
--- a/tests/python-tests/CWE-502/static/UnsafeDeserializationStatic.qlref
+++ /dev/null
@@ -1 +0,0 @@
-CWE-502/UnsafeDeserializationStatic.ql
\ No newline at end of file