Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages#21319
Open
owen-mc wants to merge 7 commits intogithub:mainfrom
Open
Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages#21319owen-mc wants to merge 7 commits intogithub:mainfrom
owen-mc wants to merge 7 commits intogithub:mainfrom
Conversation
This is just a find-replace of `"javax` with `javaxOrJakarta() + "`.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR standardizes Java EE package matching to support both javax.* and jakarta.* prefixes by introducing and adopting a shared javaxOrJakarta() helper.
Changes:
- Added a shared predicate
javaxOrJakarta()and replaced many hard-codedjavax.*package checks withjavaxOrJakarta() + .... - Updated a wide range of framework models and security queries to recognize Jakarta EE equivalents.
- Added a changelog entry documenting expected alert changes.
Reviewed changes
Copilot reviewed 46 out of 46 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| java/ql/src/utils/modelgenerator/internal/CaptureModels.qll | Uses javaxOrJakarta() for Swing package matching in model generator filtering. |
| java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll | Updates JSF type matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql | Updates JMX/RMI type matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll | Updates XQuery API type matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll | Updates servlet FilterChain matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql | Updates servlet listener/filter matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql | Updates servlet + JSF init-param matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll | Updates SSL socket type matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll | Updates crypto API type/method matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll | Updates Portlet API matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql | Updates javax.script type matching to use javaxOrJakarta(). |
| java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll | Updates EL package matching to use javaxOrJakarta(). |
| java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql | Updates SocketFactory type matching to use javaxOrJakarta(). |
| java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql | Updates servlet cookie and JAX-RS NewCookie matching to use javaxOrJakarta(). |
| java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql | Uses javaxOrJakarta() for Swing package matching in thread-safety query. |
| java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql | Uses javaxOrJakarta() for Swing event package matching. |
| java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql | Updates the recognized top-level JDK package list to include javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/XsltInjection.qll | Updates XML parser/transform type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/XmlParsers.qll | Updates XML parser/transform/security modeling to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/XSS.qll | Updates JSP JspContext matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll | Updates Bean Validation package matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/Encryption.qll | Updates SSL/crypto type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll | Updates servlet cookie/response matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll | Updates servlet request/response/session types in Spring modeling to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll | Updates javax.inject qualifiers/resources matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll | Updates JSF FacesContext matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll | Updates JSF annotation matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll | Updates Swing package checks in EJB restrictions to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll | Updates EJB package/annotation matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll | Updates XML validation type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll | Updates Persistence package name helper to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll | Updates JSF UIComponent matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/Servlets.qll | Updates servlet API type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/Networking.qll | Updates SocketFactory type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/Mail.qll | Updates mail Session type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/Jndi.qll | Updates JNDI API type matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/Jms.qll | Updates JMS method matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/JaxWS.qll | Updates JAX-RS/JWS/JAXB adapter/QName matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll | Updates various javax.annotation* / interceptor / JWS / XML WS annotations to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/frameworks/JAXB.qll | Updates JAXB types and annotation package matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll | Updates servlet filter entrypoint matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll | Updates EJB + JAXB root element entrypoint matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/JMX.qll | Updates JMX API matching to use javaxOrJakarta(). |
| java/ql/lib/semmle/code/java/J2EE.qll | Introduces javaxOrJakarta() helper and updates EJB interface matching to use it. |
| java/ql/lib/experimental/quantum/JCA.qll | Updates JCA crypto modeling to use javaxOrJakarta(). |
| java/ql/lib/change-notes/2026-02-12-jakarta.md | Adds a changelog note about expanded Jakarta EE coverage. |
Comments suppressed due to low confidence (2)
java/ql/src/utils/modelgenerator/internal/CaptureModels.qll:1
- Swing is a Java SE API (
javax.swing) and does not have ajakarta.swingequivalent. UsingjavaxOrJakarta()here can causejakarta.swing...(including any user-defined packages) to be treated as Swing, changing behavior unexpectedly. Suggest keeping this match restricted tojavax.swing%."
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql:1 javax.scriptis part of Java SE (JSR-223) and does not have ajakarta.scriptpackage. Broadening this tojakarta.scriptrisks matching unrelated/user-defined packages and producing false positives. Suggest reverting these checks tojavax.scriptonly."
| [ | ||
| "com.sun", "sun", "java", "javax", "com.oracle.net", "genstubs", "jdk", "build.tools", | ||
| "org.omg.CORBA", "org.ietf.jgss" | ||
| "com.sun", "sun", "java", javaxOrJakarta() + "", "com.oracle.net", "genstubs", "jdk", |
There was a problem hiding this comment.
jdkPackage is meant to enumerate JDK-owned top-level package roots; adding "jakarta" here appears incorrect (Jakarta EE APIs are not part of the JDK namespace in the same way javax historically was). This can mis-classify user/library code under jakarta.* as “JDK packages”, potentially affecting results. Suggest reverting this entry to "javax" only (and also avoid the unusual + "" concatenation)."
Suggested change
| "com.sun", "sun", "java", javaxOrJakarta() + "", "com.oracle.net", "genstubs", "jdk", | |
| "com.sun", "sun", "java", "javax", "com.oracle.net", "genstubs", "jdk", |
Comment on lines
12
to
13
| c.hasQualifiedName(javaxOrJakarta() + ".net.ssl", _) or | ||
| c.hasQualifiedName(javaxOrJakarta() + ".rmi.ssl", _) |
There was a problem hiding this comment.
javax.net.ssl and javax.rmi.ssl are Java SE packages and do not have Jakarta-prefixed equivalents. Expanding to jakarta.net.ssl / jakarta.rmi.ssl can match arbitrary user code and change query behavior unnecessarily. Suggest restricting these to the javax.* packages."
See below for a potential fix:
c.hasQualifiedName("javax.net.ssl", _) or
c.hasQualifiedName("javax.rmi.ssl", _)
)
}
}
class X509TrustManager extends RefType {
X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") }
}
/** The `javax.net.ssl.HttpsURLConnection` class. */
class HttpsUrlConnection extends RefType {
HttpsUrlConnection() {
this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection")
}
}
class SslSocketFactory extends RefType {
SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
}
class SslContext extends RefType {
SslContext() { this.hasQualifiedName("javax.net.ssl", "SSLContext") }
}
/** The `javax.net.ssl.SslSession` class. */
class SslSession extends RefType {
SslSession() { this.hasQualifiedName("javax.net.ssl", "SSLSession") }
}
/** The `javax.net.ssl.SslEngine` class. */
class SslEngine extends RefType {
SslEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
| this.hasQualifiedName("java.math", "BigInteger") or | ||
| this.hasQualifiedName("java.math", "BigDecimal") or | ||
| this.hasQualifiedName("javax.xml.namespace", "QName") or | ||
| this.hasQualifiedName(javaxOrJakarta() + ".xml.namespace", "QName") or |
There was a problem hiding this comment.
javax.xml.namespace.QName is a Java SE type (JAXP) and does not have a jakarta.xml.namespace.QName equivalent. Using javaxOrJakarta() here can incorrectly match jakarta.xml.namespace if it exists in user code, leading to false positives. Suggest reverting this to javax.xml.namespace only."
Suggested change
| this.hasQualifiedName(javaxOrJakarta() + ".xml.namespace", "QName") or | |
| this.hasQualifiedName("javax.xml.namespace", "QName") or |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
owen-mc
force-pushed
the
java/javax-jakarta
branch
from
8978d63 to
b811314
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously this was done in some places but not all. I have added a predicate to make it easier. Hopefully this will make it more discoverable as well.
The first commit is a find-replace-all on all .ql and .qll files in the
javasubdirectory, replacing"javaxwithjavaOrJakarta() + ".