Fix places which already dealt with both javax and jakarta

2026-04-23 07:45:17 +02:00 · 2026-02-12 12:32:25 +00:00
parent 4b240ebf8a
commit 31840902cd
10 changed files with 14 additions and 25 deletions
--- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -145,8 +145,7 @@ class CookieResponseWithoutHttpOnlySink extends DataFlow::ExprNode {

 /** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
 predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) {
-  cie.getConstructedType()
-      .hasQualifiedName([javaxOrJakarta() + ".ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  cie.getConstructedType().hasQualifiedName(javaxOrJakarta() + ".ws.rs.core", "NewCookie") and
  (
    cie.getNumArgument() = 6 and
    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -89,7 +89,7 @@ private class TaintPropagatingCall extends Call {
 }

 private class JakartaType extends RefType {
-  JakartaType() { this.getPackage().hasName([javaxOrJakarta() + ".el", "jakarta.el"]) }
+  JakartaType() { this.getPackage().hasName(javaxOrJakarta() + ".el") }
 }

 private class ELProcessor extends JakartaType {
--- a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
@@ -21,12 +21,11 @@ class GetInitParameter extends Method {
    (
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName([javaxOrJakarta() + ".servlet", "jakarta.servlet"],
+          .hasQualifiedName(javaxOrJakarta() + ".servlet",
            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"],
-            "ExternalContext")
+          .hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext")
    ) and
    this.getName() = "getInitParameter"
  }
--- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -10,8 +10,7 @@ import java
 */
 class ExternalContext extends RefType {
  ExternalContext() {
-    this.hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"],
-      "ExternalContext")
+    this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext")
  }
 }