Merge pull request #21319 from owen-mc/java/javax-jakarta

Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages

Author: owen-mc

java/ql/lib/change-notes/2026-02-12-jakarta.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.

java/ql/lib/experimental/quantum/JCA.qll

@@ -295,7 +295,7 @@ module JCAModel {
 
   class CipherGetInstanceCall extends MethodCall {
     CipherGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
@@ -307,7 +307,8 @@ module JCAModel {
   private class CipherOperationCall extends MethodCall {
     CipherOperationCall() {
       this.getMethod()
-          .hasQualifiedName("javax.crypto", "Cipher", ["update", "doFinal", "wrap", "unwrap"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher",
+            ["update", "doFinal", "wrap", "unwrap"])
     }
 
     predicate isIntermediate() { this.getMethod().getName() = "update" }
@@ -474,7 +475,9 @@ module JCAModel {
    * An access to the `javax.crypto.Cipher` class.
    */
   private class CipherAccess extends TypeAccess {
-    CipherAccess() { this.getType().(Class).hasQualifiedName("javax.crypto", "Cipher") }
+    CipherAccess() {
+      this.getType().(Class).hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher")
+    }
   }
 
   /**
@@ -708,7 +711,9 @@ module JCAModel {
   // and through setter methods
   class IvParameterSpecInstance extends NonceParameterInstantiation {
     IvParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "IvParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec")
     }
 
     override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(0) }
@@ -717,15 +722,18 @@ module JCAModel {
   // TODO: this also specifies the tag length for GCM
   class GCMParameterSpecInstance extends NonceParameterInstantiation {
     GCMParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "GCMParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "GCMParameterSpec")
     }
 
     override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(1) }
   }
 
   class IvParameterSpecGetIvCall extends MethodCall {
     IvParameterSpecGetIvCall() {
-      this.getMethod().hasQualifiedName("javax.crypto.spec", "IvParameterSpec", "getIV")
+      this.getMethod()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec", "getIV")
     }
   }
 
@@ -797,7 +805,9 @@ module JCAModel {
   }
 
   class CipherInitCall extends MethodCall {
-    CipherInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "init") }
+    CipherInitCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init")
+    }
 
     /**
      * Returns the mode argument to the `init` method
@@ -966,7 +976,9 @@ module JCAModel {
 
   class DHGenParameterSpecInstance extends KeyGeneratorParameterSpecClassInstanceExpr {
     DHGenParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec")
     }
 
     Expr getPrimeSizeArg() { result = this.getArgument(0) }
@@ -1067,7 +1079,7 @@ module JCAModel {
   //TODO: Link getAlgorithm from KeyPairGenerator to algorithm instances or AVCs? High priority.
   class KeyGeneratorGetInstanceCall extends MethodCall {
     KeyGeneratorGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "getInstance")
       or
       this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "getInstance")
     }
@@ -1082,7 +1094,8 @@ module JCAModel {
       this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "initialize") and
       keyType = Crypto::TAsymmetricKeyType()
       or
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", ["init", "initialize"]) and
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", ["init", "initialize"]) and
       keyType = Crypto::TSymmetricKeyType()
     }
 
@@ -1111,7 +1124,7 @@ module JCAModel {
     Crypto::KeyArtifactType type;
 
     KeyGeneratorGenerateCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "generateKey") and
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "generateKey") and
       type instanceof Crypto::TSymmetricKeyType
       or
       this.getCallee()
@@ -1176,7 +1189,7 @@ module JCAModel {
   class KeySpecInstantiation extends ClassInstanceExpr {
     KeySpecInstantiation() {
       this.getConstructedType()
-          .hasQualifiedName("javax.crypto.spec",
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec",
             ["PBEKeySpec", "SecretKeySpec", "PBEKeySpec", "DESedeKeySpec"])
     }
 
@@ -1227,15 +1240,17 @@ module JCAModel {
 
   class SecretKeyFactoryGetInstanceCall extends MethodCall {
     SecretKeyFactoryGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
   }
 
   class SecretKeyFactoryGenerateSecretCall extends MethodCall {
     SecretKeyFactoryGenerateSecretCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "generateSecret")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "generateSecret")
     }
 
     Expr getKeySpecArg() { result = this.getArgument(0) }
@@ -1430,15 +1445,15 @@ module JCAModel {
 
   class KeyAgreementInitCall extends MethodCall {
     KeyAgreementInitCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "init")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "init")
     }
 
     Expr getServerKeyArg() { result = this.getArgument(0) }
   }
 
   class KeyAgreementGetInstanceCall extends MethodCall {
     KeyAgreementGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = super.getArgument(0) }
@@ -1482,7 +1497,8 @@ module JCAModel {
   class KeyAgreementCall extends MethodCall {
     KeyAgreementCall() {
       this.getCallee()
-          .hasQualifiedName("javax.crypto", "KeyAgreement", ["generateSecret", "doPhase"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement",
+            ["generateSecret", "doPhase"])
     }
 
     predicate isIntermediate() { this.getCallee().getName() = "doPhase" }
@@ -1647,7 +1663,9 @@ module JCAModel {
   }
 
   class MacGetInstanceCall extends MethodCall {
-    MacGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") }
+    MacGetInstanceCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "getInstance")
+    }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
 
@@ -1663,7 +1681,7 @@ module JCAModel {
   }
 
   class MacInitCall extends MethodCall {
-    MacInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") }
+    MacInitCall() { this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "init") }
 
     Expr getKeyArg() {
       result = this.getArgument(0) and this.getMethod().getParameterType(0).hasName("Key")
@@ -1691,7 +1709,7 @@ module JCAModel {
     Expr output;
 
     MacOperationCall() {
-      super.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
+      super.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and
       (
         super.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
         or

java/ql/lib/semmle/code/java/J2EE.qll

@@ -6,52 +6,67 @@ module;
 
 import Type
 
+/** Gets "java" or "jakarta". */
+string javaxOrJakarta() { result = ["javax", "jakarta"] }
+
 /** An entity bean. */
 class EntityBean extends Class {
   EntityBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EntityBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EntityBean") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** An enterprise bean. */
 class EnterpriseBean extends RefType {
   EnterpriseBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EnterpriseBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EnterpriseBean") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A local EJB home interface. */
 class LocalEjbHomeInterface extends Interface {
   LocalEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalHome") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A remote EJB home interface. */
 class RemoteEjbHomeInterface extends Interface {
   RemoteEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A local EJB interface. */
 class LocalEjbInterface extends Interface {
   LocalEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalObject") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A remote EJB interface. */
 class RemoteEjbInterface extends Interface {
   RemoteEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A message bean. */
 class MessageBean extends Class {
   MessageBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "MessageDrivenBean") |
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDrivenBean") |
       this.hasSupertype+(i)
     )
   }
@@ -60,6 +75,8 @@ class MessageBean extends Class {
 /** A session bean. */
 class SessionBean extends Class {
   SessionBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "SessionBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "SessionBean") |
+      this.hasSupertype+(i)
+    )
   }
 }

java/ql/lib/semmle/code/java/JMX.qll

@@ -18,7 +18,7 @@ class MBean extends ManagedBean {
 class MXBean extends ManagedBean {
   MXBean() {
     this.getQualifiedName().matches("%MXBean%") or
-    this.getAnAnnotation().getType().hasQualifiedName("javax.management", "MXBean")
+    this.getAnAnnotation().getType().hasQualifiedName(javaxOrJakarta() + ".management", "MXBean")
   }
 }
 
@@ -61,7 +61,7 @@ class JmxRegistrationCall extends MethodCall {
 class JmxRegistrationMethod extends Method {
   JmxRegistrationMethod() {
     // A direct registration with the `MBeanServer`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
     this.getName() = "registerMBean"
     or
     // The `MBeanServer` is often wrapped by an application specific management class, so identify
@@ -78,7 +78,7 @@ class JmxRegistrationMethod extends Method {
    */
   int getObjectPosition() {
     // Passed as the first argument to `registerMBean`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
     this.getName() = "registerMBean" and
     result = 0
     or
@@ -92,16 +92,20 @@ class JmxRegistrationMethod extends Method {
 /** The class `javax.management.remote.JMXConnectorFactory`. */
 class TypeJmxConnectorFactory extends Class {
   TypeJmxConnectorFactory() {
-    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorFactory")
   }
 }
 
 /** The class `javax.management.remote.JMXServiceURL`. */
 class TypeJmxServiceUrl extends Class {
-  TypeJmxServiceUrl() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+  TypeJmxServiceUrl() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXServiceURL")
+  }
 }
 
 /** The class `javax.management.remote.rmi.RMIConnector`. */
 class TypeRmiConnector extends Class {
-  TypeRmiConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+  TypeRmiConnector() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnector")
+  }
 }

java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll

@@ -316,7 +316,7 @@ class FacesComponentReflectivelyConstructedClass extends ReflectivelyConstructed
  * Entry point for EJB home interfaces.
  */
 class EjbHome extends Interface, EntryPoint {
-  EjbHome() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBHome") }
+  EjbHome() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") }
 
   override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -325,7 +325,7 @@ class EjbHome extends Interface, EntryPoint {
  * Entry point for EJB object interfaces.
  */
 class EjbObject extends Interface, EntryPoint {
-  EjbObject() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBObject") }
+  EjbObject() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") }
 
   override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -341,7 +341,9 @@ class GsonDeserializationEntryPoint extends ReflectivelyConstructedClass {
 class JaxbDeserializationEntryPoint extends ReflectivelyConstructedClass {
   JaxbDeserializationEntryPoint() {
     // A class can be deserialized by JAXB if it's an `XmlRootElement`...
-    this.getAnAnnotation().getType().hasQualifiedName("javax.xml.bind.annotation", "XmlRootElement")
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation", "XmlRootElement")
     or
     // ... or the type of an `XmlElement` field.
     exists(Field elementField |

java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll

@@ -45,7 +45,7 @@ class ServletListenerClass extends ReflectivelyConstructedClass {
  */
 class ServletFilterClass extends ReflectivelyConstructedClass {
   ServletFilterClass() {
-    this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") and
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter") and
     // If we have seen any `web.xml` files, this filter will be considered to be live only if it is
     // referred to as a filter-class in at least one. If no `web.xml` files are found, we assume
     // that XML extraction was not enabled, and therefore consider all filter classes as live.