Merge pull request #21319 from owen-mc/java/javax-jakarta

Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages
2026-02-23 18:33:42 +01:00 · 2026-02-17 08:31:52 +00:00
parent b34777e67f 91c731f68d
commit 94e3d86f6a
45 changed files with 347 additions and 204 deletions
--- a/java/ql/lib/change-notes/2026-02-12-jakarta.md
+++ b/java/ql/lib/change-notes/2026-02-12-jakarta.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.
--- a/java/ql/lib/experimental/quantum/JCA.qll
+++ b/java/ql/lib/experimental/quantum/JCA.qll
@@ -295,7 +295,7 @@ module JCAModel {

  class CipherGetInstanceCall extends MethodCall {
    CipherGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance")
    }

    Expr getAlgorithmArg() { result = this.getArgument(0) }
@@ -307,7 +307,8 @@ module JCAModel {
  private class CipherOperationCall extends MethodCall {
    CipherOperationCall() {
      this.getMethod()
-          .hasQualifiedName("javax.crypto", "Cipher", ["update", "doFinal", "wrap", "unwrap"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher",
+            ["update", "doFinal", "wrap", "unwrap"])
    }

    predicate isIntermediate() { this.getMethod().getName() = "update" }
@@ -474,7 +475,9 @@ module JCAModel {
   * An access to the `javax.crypto.Cipher` class.
   */
  private class CipherAccess extends TypeAccess {
-    CipherAccess() { this.getType().(Class).hasQualifiedName("javax.crypto", "Cipher") }
+    CipherAccess() {
+      this.getType().(Class).hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher")
+    }
  }

  /**
@@ -708,7 +711,9 @@ module JCAModel {
  // and through setter methods
  class IvParameterSpecInstance extends NonceParameterInstantiation {
    IvParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "IvParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec")
    }

    override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(0) }
@@ -717,7 +722,9 @@ module JCAModel {
  // TODO: this also specifies the tag length for GCM
  class GCMParameterSpecInstance extends NonceParameterInstantiation {
    GCMParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "GCMParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "GCMParameterSpec")
    }

    override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(1) }
@@ -725,7 +732,8 @@ module JCAModel {

  class IvParameterSpecGetIvCall extends MethodCall {
    IvParameterSpecGetIvCall() {
-      this.getMethod().hasQualifiedName("javax.crypto.spec", "IvParameterSpec", "getIV")
+      this.getMethod()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec", "getIV")
    }
  }

@@ -797,7 +805,9 @@ module JCAModel {
  }

  class CipherInitCall extends MethodCall {
-    CipherInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "init") }
+    CipherInitCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init")
+    }

    /**
     * Returns the mode argument to the `init` method
@@ -966,7 +976,9 @@ module JCAModel {

  class DHGenParameterSpecInstance extends KeyGeneratorParameterSpecClassInstanceExpr {
    DHGenParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec")
    }

    Expr getPrimeSizeArg() { result = this.getArgument(0) }
@@ -1067,7 +1079,7 @@ module JCAModel {
  //TODO: Link getAlgorithm from KeyPairGenerator to algorithm instances or AVCs? High priority.
  class KeyGeneratorGetInstanceCall extends MethodCall {
    KeyGeneratorGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "getInstance")
      or
      this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "getInstance")
    }
@@ -1082,7 +1094,8 @@ module JCAModel {
      this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "initialize") and
      keyType = Crypto::TAsymmetricKeyType()
      or
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", ["init", "initialize"]) and
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", ["init", "initialize"]) and
      keyType = Crypto::TSymmetricKeyType()
    }

@@ -1111,7 +1124,7 @@ module JCAModel {
    Crypto::KeyArtifactType type;

    KeyGeneratorGenerateCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "generateKey") and
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "generateKey") and
      type instanceof Crypto::TSymmetricKeyType
      or
      this.getCallee()
@@ -1176,7 +1189,7 @@ module JCAModel {
  class KeySpecInstantiation extends ClassInstanceExpr {
    KeySpecInstantiation() {
      this.getConstructedType()
-          .hasQualifiedName("javax.crypto.spec",
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec",
            ["PBEKeySpec", "SecretKeySpec", "PBEKeySpec", "DESedeKeySpec"])
    }

@@ -1227,7 +1240,8 @@ module JCAModel {

  class SecretKeyFactoryGetInstanceCall extends MethodCall {
    SecretKeyFactoryGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance")
    }

    Expr getAlgorithmArg() { result = this.getArgument(0) }
@@ -1235,7 +1249,8 @@ module JCAModel {

  class SecretKeyFactoryGenerateSecretCall extends MethodCall {
    SecretKeyFactoryGenerateSecretCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "generateSecret")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "generateSecret")
    }

    Expr getKeySpecArg() { result = this.getArgument(0) }
@@ -1430,7 +1445,7 @@ module JCAModel {

  class KeyAgreementInitCall extends MethodCall {
    KeyAgreementInitCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "init")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "init")
    }

    Expr getServerKeyArg() { result = this.getArgument(0) }
@@ -1438,7 +1453,7 @@ module JCAModel {

  class KeyAgreementGetInstanceCall extends MethodCall {
    KeyAgreementGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance")
    }

    Expr getAlgorithmArg() { result = super.getArgument(0) }
@@ -1482,7 +1497,8 @@ module JCAModel {
  class KeyAgreementCall extends MethodCall {
    KeyAgreementCall() {
      this.getCallee()
-          .hasQualifiedName("javax.crypto", "KeyAgreement", ["generateSecret", "doPhase"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement",
+            ["generateSecret", "doPhase"])
    }

    predicate isIntermediate() { this.getCallee().getName() = "doPhase" }
@@ -1647,7 +1663,9 @@ module JCAModel {
  }

  class MacGetInstanceCall extends MethodCall {
-    MacGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") }
+    MacGetInstanceCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "getInstance")
+    }

    Expr getAlgorithmArg() { result = this.getArgument(0) }

@@ -1663,7 +1681,7 @@ module JCAModel {
  }

  class MacInitCall extends MethodCall {
-    MacInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") }
+    MacInitCall() { this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "init") }

    Expr getKeyArg() {
      result = this.getArgument(0) and this.getMethod().getParameterType(0).hasName("Key")
@@ -1691,7 +1709,7 @@ module JCAModel {
    Expr output;

    MacOperationCall() {
-      super.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
+      super.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and
      (
        super.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
        or
--- a/java/ql/lib/semmle/code/java/J2EE.qll
+++ b/java/ql/lib/semmle/code/java/J2EE.qll
@@ -6,52 +6,67 @@ module;

 import Type

+/** Gets "java" or "jakarta". */
+string javaxOrJakarta() { result = ["javax", "jakarta"] }
+
 /** An entity bean. */
 class EntityBean extends Class {
  EntityBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EntityBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EntityBean") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** An enterprise bean. */
 class EnterpriseBean extends RefType {
  EnterpriseBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EnterpriseBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EnterpriseBean") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** A local EJB home interface. */
 class LocalEjbHomeInterface extends Interface {
  LocalEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalHome") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** A remote EJB home interface. */
 class RemoteEjbHomeInterface extends Interface {
  RemoteEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** A local EJB interface. */
 class LocalEjbInterface extends Interface {
  LocalEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalObject") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** A remote EJB interface. */
 class RemoteEjbInterface extends Interface {
  RemoteEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") |
+      this.hasSupertype+(i)
+    )
  }
 }

 /** A message bean. */
 class MessageBean extends Class {
  MessageBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "MessageDrivenBean") |
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDrivenBean") |
      this.hasSupertype+(i)
    )
  }
@@ -60,6 +75,8 @@ class MessageBean extends Class {
 /** A session bean. */
 class SessionBean extends Class {
  SessionBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "SessionBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "SessionBean") |
+      this.hasSupertype+(i)
+    )
  }
 }
--- a/java/ql/lib/semmle/code/java/JMX.qll
+++ b/java/ql/lib/semmle/code/java/JMX.qll
@@ -18,7 +18,7 @@ class MBean extends ManagedBean {
 class MXBean extends ManagedBean {
  MXBean() {
    this.getQualifiedName().matches("%MXBean%") or
-    this.getAnAnnotation().getType().hasQualifiedName("javax.management", "MXBean")
+    this.getAnAnnotation().getType().hasQualifiedName(javaxOrJakarta() + ".management", "MXBean")
  }
 }

@@ -61,7 +61,7 @@ class JmxRegistrationCall extends MethodCall {
 class JmxRegistrationMethod extends Method {
  JmxRegistrationMethod() {
    // A direct registration with the `MBeanServer`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
    this.getName() = "registerMBean"
    or
    // The `MBeanServer` is often wrapped by an application specific management class, so identify
@@ -78,7 +78,7 @@ class JmxRegistrationMethod extends Method {
   */
  int getObjectPosition() {
    // Passed as the first argument to `registerMBean`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
    this.getName() = "registerMBean" and
    result = 0
    or
@@ -92,16 +92,20 @@ class JmxRegistrationMethod extends Method {
 /** The class `javax.management.remote.JMXConnectorFactory`. */
 class TypeJmxConnectorFactory extends Class {
  TypeJmxConnectorFactory() {
-    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorFactory")
  }
 }

 /** The class `javax.management.remote.JMXServiceURL`. */
 class TypeJmxServiceUrl extends Class {
-  TypeJmxServiceUrl() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+  TypeJmxServiceUrl() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXServiceURL")
+  }
 }

 /** The class `javax.management.remote.rmi.RMIConnector`. */
 class TypeRmiConnector extends Class {
-  TypeRmiConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+  TypeRmiConnector() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnector")
+  }
 }
--- a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll
+++ b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll
@@ -316,7 +316,7 @@ class FacesComponentReflectivelyConstructedClass extends ReflectivelyConstructed
 * Entry point for EJB home interfaces.
 */
 class EjbHome extends Interface, EntryPoint {
-  EjbHome() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBHome") }
+  EjbHome() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") }

  override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -325,7 +325,7 @@ class EjbHome extends Interface, EntryPoint {
 * Entry point for EJB object interfaces.
 */
 class EjbObject extends Interface, EntryPoint {
-  EjbObject() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBObject") }
+  EjbObject() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") }

  override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -341,7 +341,9 @@ class GsonDeserializationEntryPoint extends ReflectivelyConstructedClass {
 class JaxbDeserializationEntryPoint extends ReflectivelyConstructedClass {
  JaxbDeserializationEntryPoint() {
    // A class can be deserialized by JAXB if it's an `XmlRootElement`...
-    this.getAnAnnotation().getType().hasQualifiedName("javax.xml.bind.annotation", "XmlRootElement")
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation", "XmlRootElement")
    or
    // ... or the type of an `XmlElement` field.
    exists(Field elementField |
--- a/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll
+++ b/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll
@@ -45,7 +45,7 @@ class ServletListenerClass extends ReflectivelyConstructedClass {
 */
 class ServletFilterClass extends ReflectivelyConstructedClass {
  ServletFilterClass() {
-    this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") and
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter") and
    // If we have seen any `web.xml` files, this filter will be considered to be live only if it is
    // referred to as a filter-class in at least one. If no `web.xml` files are found, we assume
    // that XML extraction was not enabled, and therefore consider all filter classes as live.
--- a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll
@@ -6,20 +6,20 @@ import semmle.code.java.Type

 class JaxbElement extends Class {
  JaxbElement() {
-    this.getAnAncestor().hasQualifiedName("javax.xml.bind", "JAXBElement") or
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "JAXBElement") or
    this.getAnAnnotation().getType().getName() = "XmlRootElement"
  }
 }

 class JaxbMarshalMethod extends Method {
  JaxbMarshalMethod() {
-    this.getDeclaringType().hasQualifiedName("javax.xml.bind", "Marshaller") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "Marshaller") and
    this.getName() = "marshal"
  }
 }

 class JaxbAnnotationType extends AnnotationType {
-  JaxbAnnotationType() { this.getPackage().getName() = "javax.xml.bind.annotation" }
+  JaxbAnnotationType() { this.getPackage().getName() = javaxOrJakarta() + ".xml.bind.annotation" }
 }

 class JaxbAnnotated extends Annotatable {
--- a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll
@@ -14,35 +14,45 @@ import java
 * A `@javax.annotation.Generated` annotation.
 */
 class GeneratedAnnotation extends Annotation {
-  GeneratedAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Generated") }
+  GeneratedAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Generated")
+  }
 }

 /**
 * A `@javax.annotation.PostConstruct` annotation.
 */
 class PostConstructAnnotation extends Annotation {
-  PostConstructAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PostConstruct") }
+  PostConstructAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PostConstruct")
+  }
 }

 /**
 * A `@javax.annotation.PreDestroy` annotation.
 */
 class PreDestroyAnnotation extends Annotation {
-  PreDestroyAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PreDestroy") }
+  PreDestroyAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PreDestroy")
+  }
 }

 /**
 * A `@javax.annotation.Resource` annotation.
 */
 class ResourceAnnotation extends Annotation {
-  ResourceAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resource") }
+  ResourceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resource")
+  }
 }

 /**
 * A `@javax.annotation.Resources` annotation.
 */
 class ResourcesAnnotation extends Annotation {
-  ResourcesAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resources") }
+  ResourcesAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resources")
+  }
 }

 /**
@@ -50,7 +60,7 @@ class ResourcesAnnotation extends Annotation {
 */
 class JavaxManagedBeanAnnotation extends Annotation {
  JavaxManagedBeanAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation", "ManagedBean")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "ManagedBean")
  }
 }

@@ -63,7 +73,7 @@ class JavaxManagedBeanAnnotation extends Annotation {
 */
 class DeclareRolesAnnotation extends Annotation {
  DeclareRolesAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "DeclareRoles")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DeclareRoles")
  }
 }

@@ -71,7 +81,9 @@ class DeclareRolesAnnotation extends Annotation {
 * A `@javax.annotation.security.DenyAll` annotation.
 */
 class DenyAllAnnotation extends Annotation {
-  DenyAllAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "DenyAll") }
+  DenyAllAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DenyAll")
+  }
 }

 /**
@@ -79,7 +91,7 @@ class DenyAllAnnotation extends Annotation {
 */
 class PermitAllAnnotation extends Annotation {
  PermitAllAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "PermitAll")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "PermitAll")
  }
 }

@@ -88,7 +100,7 @@ class PermitAllAnnotation extends Annotation {
 */
 class RolesAllowedAnnotation extends Annotation {
  RolesAllowedAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "RolesAllowed")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RolesAllowed")
  }
 }

@@ -96,7 +108,9 @@ class RolesAllowedAnnotation extends Annotation {
 * A `@javax.annotation.security.RunAs` annotation.
 */
 class RunAsAnnotation extends Annotation {
-  RunAsAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "RunAs") }
+  RunAsAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RunAs")
+  }
 }

 /*
@@ -107,7 +121,9 @@ class RunAsAnnotation extends Annotation {
 * A `@javax.interceptor.AroundInvoke` annotation.
 */
 class AroundInvokeAnnotation extends Annotation {
-  AroundInvokeAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "AroundInvoke") }
+  AroundInvokeAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "AroundInvoke")
+  }
 }

 /**
@@ -115,7 +131,7 @@ class AroundInvokeAnnotation extends Annotation {
 */
 class ExcludeClassInterceptorsAnnotation extends Annotation {
  ExcludeClassInterceptorsAnnotation() {
-    this.getType().hasQualifiedName("javax.interceptor", "ExcludeClassInterceptors")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeClassInterceptors")
  }
 }

@@ -124,7 +140,7 @@ class ExcludeClassInterceptorsAnnotation extends Annotation {
 */
 class ExcludeDefaultInterceptorsAnnotation extends Annotation {
  ExcludeDefaultInterceptorsAnnotation() {
-    this.getType().hasQualifiedName("javax.interceptor", "ExcludeDefaultInterceptors")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeDefaultInterceptors")
  }
 }

@@ -132,7 +148,9 @@ class ExcludeDefaultInterceptorsAnnotation extends Annotation {
 * A `@javax.interceptor.Interceptors` annotation.
 */
 class InterceptorsAnnotation extends Annotation {
-  InterceptorsAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "Interceptors") }
+  InterceptorsAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "Interceptors")
+  }
 }

 /*
@@ -143,14 +161,16 @@ class InterceptorsAnnotation extends Annotation {
 * A `@javax.jws.WebMethod` annotation.
 */
 class WebMethodAnnotation extends Annotation {
-  WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") }
+  WebMethodAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") }
 }

 /**
 * A `@javax.jws.WebService` annotation.
 */
 class WebServiceAnnotation extends Annotation {
-  WebServiceAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebService") }
+  WebServiceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebService")
+  }
 }

 /*
@@ -161,7 +181,9 @@ class WebServiceAnnotation extends Annotation {
 * A `@javax.xml.ws.WebServiceRef` annotation.
 */
 class WebServiceRefAnnotation extends Annotation {
-  WebServiceRefAnnotation() { this.getType().hasQualifiedName("javax.xml.ws", "WebServiceRef") }
+  WebServiceRefAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".xml.ws", "WebServiceRef")
+  }
 }

 /*
@@ -173,9 +195,7 @@ class WebServiceRefAnnotation extends Annotation {
 */
 class PatternAnnotation extends Annotation, RegexMatch::Range {
  PatternAnnotation() {
-    this.getType()
-        .hasQualifiedName(["javax.validation.constraints", "jakarta.validation.constraints"],
-          "Pattern")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".validation.constraints", "Pattern")
  }

  override Expr getRegex() { result = this.getValue("regexp") }
--- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
@@ -13,7 +13,7 @@ private import semmle.code.java.security.XSS
 /**
 * Gets a name for the root package of JAX-RS.
 */
-string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
+string getAJaxRsPackage() { result = javaxOrJakarta() + ".ws.rs" }

 /**
 * Gets a name for package `subpackage` within the JAX-RS hierarchy.
@@ -42,7 +42,7 @@ class JaxWsEndpoint extends Class {
    result.isPublic() and
    not result instanceof InitializerMethod and
    not exists(Annotation a | a = result.getAnAnnotation() |
-      a.getType().hasQualifiedName(["javax", "jakarta"] + ".jws", "WebMethod") and
+      a.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") and
      a.getValue("exclude").(BooleanLiteral).getBooleanValue() = true
    ) and
    forex(ParamOrReturn paramOrRet | paramOrRet = result.getAParameter() or paramOrRet = result |
@@ -62,8 +62,7 @@ class JaxWsEndpoint extends Class {
 /** The annotation type `@XmlJavaTypeAdapter`. */
 class XmlJavaTypeAdapter extends AnnotationType {
  XmlJavaTypeAdapter() {
-    this.hasQualifiedName(["javax", "jakarta"] + ".xml.bind.annotation.adapters",
-      "XmlJavaTypeAdapter")
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation.adapters", "XmlJavaTypeAdapter")
  }
 }

@@ -292,7 +291,7 @@ class JaxRSAnnotation extends Annotation {
  JaxRSAnnotation() {
    exists(AnnotationType a |
      a = this.getType() and
-      a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"])
+      a.getPackage().getName().regexpMatch(javaxOrJakarta() + "\\.ws\\.rs(\\..*)?")
    )
  }
 }
--- a/java/ql/lib/semmle/code/java/frameworks/Jms.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Jms.qll
@@ -7,6 +7,6 @@ import java
 /** The method `ObjectMessage.getObject`. */
 class ObjectMessageGetObjectMethod extends Method {
  ObjectMessageGetObjectMethod() {
-    this.hasQualifiedName(["javax", "jakarta"] + ".jms", "ObjectMessage", "getObject")
+    this.hasQualifiedName(javaxOrJakarta() + ".jms", "ObjectMessage", "getObject")
  }
 }
--- a/java/ql/lib/semmle/code/java/frameworks/Jndi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Jndi.qll
@@ -9,32 +9,34 @@ import java
 /*--- Types ---*/
 /** The interface `javax.naming.Context`. */
 class TypeNamingContext extends Interface {
-  TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") }
+  TypeNamingContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "Context") }
 }

 /** The class `javax.naming.CompositeName`. */
 class TypeCompositeName extends Class {
-  TypeCompositeName() { this.hasQualifiedName("javax.naming", "CompositeName") }
+  TypeCompositeName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompositeName") }
 }

 /** The class `javax.naming.CompoundName`. */
 class TypeCompoundName extends Class {
-  TypeCompoundName() { this.hasQualifiedName("javax.naming", "CompoundName") }
+  TypeCompoundName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompoundName") }
 }

 /** The interface `javax.naming.directory.DirContext`. */
 class TypeDirContext extends Interface {
-  TypeDirContext() { this.hasQualifiedName("javax.naming.directory", "DirContext") }
+  TypeDirContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "DirContext") }
 }

 /** The class `javax.naming.directory.SearchControls` */
 class TypeSearchControls extends Class {
-  TypeSearchControls() { this.hasQualifiedName("javax.naming.directory", "SearchControls") }
+  TypeSearchControls() {
+    this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "SearchControls")
+  }
 }

 /** The class `javax.naming.ldap.LdapName`. */
 class TypeLdapName extends Class {
-  TypeLdapName() { this.hasQualifiedName("javax.naming.ldap", "LdapName") }
+  TypeLdapName() { this.hasQualifiedName(javaxOrJakarta() + ".naming.ldap", "LdapName") }
 }

 /*--- Methods ---*/
--- a/java/ql/lib/semmle/code/java/frameworks/Mail.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Mail.qll
@@ -8,7 +8,7 @@ import java
 * The class `javax.mail.Session` or `jakarta.mail.Session`.
 */
 class MailSession extends Class {
-  MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") }
+  MailSession() { this.hasQualifiedName(javaxOrJakarta() + ".mail", "Session") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll
@@ -20,7 +20,7 @@ class TypeSocket extends RefType {

 /** The type `javax.net.SocketFactory` */
 class TypeSocketFactory extends RefType {
-  TypeSocketFactory() { this.hasQualifiedName("javax.net", "SocketFactory") }
+  TypeSocketFactory() { this.hasQualifiedName(javaxOrJakarta() + ".net", "SocketFactory") }
 }

 /** The type `java.net.URL`. */
--- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -12,7 +12,7 @@ import semmle.code.java.Type
 */
 class ServletRequest extends RefType {
  ServletRequest() {
-    this.hasQualifiedName("javax.servlet", "ServletRequest") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or
    this instanceof HttpServletRequest
  }
 }
@@ -21,7 +21,9 @@ class ServletRequest extends RefType {
 * The interface `javax.servlet.http.HttpServletRequest`.
 */
 class HttpServletRequest extends RefType {
-  HttpServletRequest() { this.hasQualifiedName("javax.servlet.http", "HttpServletRequest") }
+  HttpServletRequest() {
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletRequest")
+  }
 }

 /**
@@ -168,7 +170,7 @@ class ServletRequestGetBodyMethod extends Method {
 */
 class ServletResponse extends RefType {
  ServletResponse() {
-    this.hasQualifiedName("javax.servlet", "ServletResponse") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or
    this instanceof HttpServletResponse
  }
 }
@@ -177,7 +179,9 @@ class ServletResponse extends RefType {
 * The interface `javax.servlet.http.HttpServletResponse`.
 */
 class HttpServletResponse extends RefType {
-  HttpServletResponse() { this.hasQualifiedName("javax.servlet.http", "HttpServletResponse") }
+  HttpServletResponse() {
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletResponse")
+  }
 }

 /**
@@ -239,7 +243,7 @@ class ServletResponseGetOutputStreamMethod extends Method {

 /** The class `javax.servlet.http.Cookie`. */
 class TypeCookie extends Class {
-  TypeCookie() { this.hasQualifiedName("javax.servlet.http", "Cookie") }
+  TypeCookie() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie") }
 }

 /**
@@ -331,7 +335,7 @@ class ResponseSetContentTypeMethod extends Method {
 * A class that has `javax.servlet.Servlet` as an ancestor.
 */
 class ServletClass extends Class {
-  ServletClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") }
+  ServletClass() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Servlet") }
 }

 /**
@@ -342,13 +346,13 @@ class ServletClass extends Class {
 */
 class ServletWebXmlListenerType extends RefType {
  ServletWebXmlListenerType() {
-    this.hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or
-    this.hasQualifiedName("javax.servlet", "ServletContextListener") or
-    this.hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or
-    this.hasQualifiedName("javax.servlet", "ServletRequestListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionAttributeListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionIdListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionListener")
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionIdListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionListener")
    // Listeners that are not configured in `web.xml`:
    //  - `HttpSessionActivationListener`
    //  - `HttpSessionBindingListener`
@@ -373,8 +377,8 @@ predicate isRequestGetParamMethod(MethodCall ma) {
 /** The Java EE RequestDispatcher. */
 class RequestDispatcher extends RefType {
  RequestDispatcher() {
-    this.hasQualifiedName(["javax.servlet", "jakarta.servlet"], "RequestDispatcher") or
-    this.hasQualifiedName("javax.portlet", "PortletRequestDispatcher")
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "RequestDispatcher") or
+    this.hasQualifiedName(javaxOrJakarta() + ".portlet", "PortletRequestDispatcher")
  }
 }

@@ -398,7 +402,7 @@ class RequestDispatchMethod extends Method {
 * The interface `javax.servlet.ServletContext`.
 */
 class ServletContext extends RefType {
-  ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
+  ServletContext() { this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContext") }
 }

 /** The `getResource` method of `ServletContext`. */
@@ -419,5 +423,5 @@ class GetServletResourceAsStreamMethod extends Method {

 /** The interface `javax.servlet.http.HttpSession` */
 class HttpServletSession extends RefType {
-  HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") }
+  HttpServletSession() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") }
 }
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll
@@ -61,7 +61,7 @@ class FacesAccessibleType extends RefType {
 class FacesComponent extends Class {
  FacesComponent() {
    // Must extend UIComponent for it to be a valid component.
-    this.getAnAncestor().hasQualifiedName("javax.faces.component", "UIComponent") and
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".faces.component", "UIComponent") and
    (
      // Must be registered using either an annotation
      exists(FacesComponentAnnotation componentAnnotation |
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll
@@ -9,7 +9,7 @@ import java
 /**
 * Gets a JavaEE Persistence API package name.
 */
-string getAPersistencePackageName() { result = ["javax.persistence", "jakarta.persistence"] }
+string getAPersistencePackageName() { result = javaxOrJakarta() + ".persistence" }

 /**
 * A `RefType` with the `@Entity` annotation that indicates that it can be persisted using a JPA
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
@@ -33,7 +33,7 @@ private class ValidatorConfig extends TransformerConfig {

 /** The class `javax.xml.validation.Validator`. */
 private class Validator extends RefType {
-  Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
+  Validator() { this.hasQualifiedName(javaxOrJakarta() + ".xml.validation", "Validator") }
 }

 /** A safely configured `Validator`. */
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll
@@ -64,7 +64,7 @@ class SessionEjb extends EJB {
    result = this.getASupertype() and
    not result.hasQualifiedName("java.io", "Serializable") and
    not result.hasQualifiedName("java.io", "Externalizable") and
-    not result.getPackage().getName() = "javax.ejb"
+    not result.getPackage().getName() = javaxOrJakarta() + ".ejb"
  }

  /** Any remote interfaces of this EJB. */
@@ -216,14 +216,14 @@ abstract class BusinessInterfaceAnnotation extends EjbInterfaceAnnotation { }
 * An instance of a `@Remote` annotation.
 */
 class RemoteAnnotation extends BusinessInterfaceAnnotation {
-  RemoteAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remote") }
+  RemoteAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remote") }
 }

 /**
 * An instance of a `@Local` annotation.
 */
 class LocalAnnotation extends BusinessInterfaceAnnotation {
-  LocalAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Local") }
+  LocalAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Local") }
 }

 /**
@@ -330,7 +330,7 @@ class LocalAnnotatedBusinessInterface extends AnnotatedBusinessInterface {
 * A `@javax.ejb.Init` annotation.
 */
 class InitAnnotation extends Annotation {
-  InitAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Init") }
+  InitAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Init") }
 }

 /**
@@ -383,14 +383,16 @@ abstract class HomeAnnotation extends EjbInterfaceAnnotation { }
 * An instance of a `@RemoteHome` annotation.
 */
 class RemoteHomeAnnotation extends HomeAnnotation {
-  RemoteHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "RemoteHome") }
+  RemoteHomeAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "RemoteHome")
+  }
 }

 /**
 * An instance of a `@LocalHome` annotation.
 */
 class LocalHomeAnnotation extends HomeAnnotation {
-  LocalHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalHome") }
+  LocalHomeAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalHome") }
 }

 /**
@@ -748,7 +750,9 @@ Type inheritsMatchingCreateMethodExceptThrows(StatefulSessionEjb ejb, EjbInterfa
 * A `@javax.ejb.AccessTimeout` annotation.
 */
 class AccessTimeoutAnnotation extends Annotation {
-  AccessTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AccessTimeout") }
+  AccessTimeoutAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AccessTimeout")
+  }
 }

 /**
@@ -756,7 +760,7 @@ class AccessTimeoutAnnotation extends Annotation {
 */
 class ActivationConfigPropertyAnnotation extends Annotation {
  ActivationConfigPropertyAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ActivationConfigProperty")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ActivationConfigProperty")
  }
 }

@@ -764,14 +768,18 @@ class ActivationConfigPropertyAnnotation extends Annotation {
 * A `@javax.ejb.AfterBegin` annotation.
 */
 class AfterBeginAnnotation extends Annotation {
-  AfterBeginAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterBegin") }
+  AfterBeginAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterBegin")
+  }
 }

 /**
 * A `@javax.ejb.AfterCompletion` annotation.
 */
 class AfterCompletionAnnotation extends Annotation {
-  AfterCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterCompletion") }
+  AfterCompletionAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterCompletion")
+  }
 }

 /**
@@ -779,7 +787,7 @@ class AfterCompletionAnnotation extends Annotation {
 */
 class ApplicationExceptionAnnotation extends Annotation {
  ApplicationExceptionAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ApplicationException")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ApplicationException")
  }
 }

@@ -787,14 +795,18 @@ class ApplicationExceptionAnnotation extends Annotation {
 * A `@javax.ejb.Asynchronous` annotation.
 */
 class AsynchronousAnnotation extends Annotation {
-  AsynchronousAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Asynchronous") }
+  AsynchronousAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Asynchronous")
+  }
 }

 /**
 * A `@javax.ejb.BeforeCompletion` annotation.
 */
 class BeforeCompletionAnnotation extends Annotation {
-  BeforeCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "BeforeCompletion") }
+  BeforeCompletionAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "BeforeCompletion")
+  }
 }

 /**
@@ -802,7 +814,7 @@ class BeforeCompletionAnnotation extends Annotation {
 */
 class ConcurrencyManagementAnnotation extends Annotation {
  ConcurrencyManagementAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ConcurrencyManagement")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ConcurrencyManagement")
  }
 }

@@ -810,119 +822,127 @@ class ConcurrencyManagementAnnotation extends Annotation {
 * A `@javax.ejb.DependsOn` annotation.
 */
 class DependsOnAnnotation extends Annotation {
-  DependsOnAnnotation() { this.getType().hasQualifiedName("javax.ejb", "DependsOn") }
+  DependsOnAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "DependsOn") }
 }

 /**
 * A `@javax.ejb.EJB` annotation.
 */
 class EjbAnnotation extends Annotation {
-  EjbAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJB") }
+  EjbAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJB") }
 }

 /**
 * A `@javax.ejb.EJBs` annotation.
 */
 class EJBsAnnotation extends Annotation {
-  EJBsAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJBs") }
+  EJBsAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBs") }
 }

 /**
 * A `@javax.ejb.LocalBean` annotation.
 */
 class LocalBeanAnnotation extends Annotation {
-  LocalBeanAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalBean") }
+  LocalBeanAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalBean") }
 }

 /**
 * A `@javax.ejb.Lock` annotation.
 */
 class LockAnnotation extends Annotation {
-  LockAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Lock") }
+  LockAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Lock") }
 }

 /**
 * A `@javax.ejb.MessageDriven` annotation.
 */
 class MessageDrivenAnnotation extends Annotation {
-  MessageDrivenAnnotation() { this.getType().hasQualifiedName("javax.ejb", "MessageDriven") }
+  MessageDrivenAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDriven")
+  }
 }

 /**
 * A `@javax.ejb.PostActivate` annotation.
 */
 class PostActivateAnnotation extends Annotation {
-  PostActivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PostActivate") }
+  PostActivateAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PostActivate")
+  }
 }

 /**
 * A `@javax.ejb.PrePassivate` annotation.
 */
 class PrePassivateAnnotation extends Annotation {
-  PrePassivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PrePassivate") }
+  PrePassivateAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PrePassivate")
+  }
 }

 /**
 * A `@javax.ejb.Remove` annotation.
 */
 class RemoveAnnotation extends Annotation {
-  RemoveAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remove") }
+  RemoveAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remove") }
 }

 /**
 * A `@javax.ejb.Schedule` annotation.
 */
 class ScheduleAnnotation extends Annotation {
-  ScheduleAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedule") }
+  ScheduleAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedule") }
 }

 /**
 * A `@javax.ejb.Schedules` annotation.
 */
 class SchedulesAnnotation extends Annotation {
-  SchedulesAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedules") }
+  SchedulesAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedules") }
 }

 /**
 * A `@javax.ejb.Singleton` annotation.
 */
 class SingletonAnnotation extends Annotation {
-  SingletonAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Singleton") }
+  SingletonAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Singleton") }
 }

 /**
 * A `@javax.ejb.Startup` annotation.
 */
 class StartupAnnotation extends Annotation {
-  StartupAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Startup") }
+  StartupAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Startup") }
 }

 /**
 * A `@javax.ejb.Stateful` annotation.
 */
 class StatefulAnnotation extends Annotation {
-  StatefulAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateful") }
+  StatefulAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateful") }
 }

 /**
 * A `@javax.ejb.StatefulTimeout` annotation.
 */
 class StatefulTimeoutAnnotation extends Annotation {
-  StatefulTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "StatefulTimeout") }
+  StatefulTimeoutAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "StatefulTimeout")
+  }
 }

 /**
 * A `@javax.ejb.Stateless` annotation.
 */
 class StatelessAnnotation extends Annotation {
-  StatelessAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateless") }
+  StatelessAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateless") }
 }

 /**
 * A `@javax.ejb.Timeout` annotation.
 */
 class TimeoutAnnotation extends Annotation {
-  TimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Timeout") }
+  TimeoutAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Timeout") }
 }

 /**
@@ -930,7 +950,7 @@ class TimeoutAnnotation extends Annotation {
 */
 class TransactionAttributeAnnotation extends Annotation {
  TransactionAttributeAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "TransactionAttribute")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttribute")
  }
 }

@@ -939,7 +959,7 @@ class TransactionAttributeAnnotation extends Annotation {
 */
 class TransactionManagementAnnotation extends Annotation {
  TransactionManagementAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "TransactionManagement")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionManagement")
  }
 }

@@ -951,7 +971,10 @@ class RequiredTransactionAttributeAnnotation extends TransactionAttributeAnnotat
  RequiredTransactionAttributeAnnotation() {
    exists(FieldRead fr |
      this.getValue("value") = fr and
-      fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and
+      fr.getField()
+          .getType()
+          .(RefType)
+          .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and
      fr.getField().getName() = "REQUIRED"
    )
  }
@@ -965,7 +988,10 @@ class RequiresNewTransactionAttributeAnnotation extends TransactionAttributeAnno
  RequiresNewTransactionAttributeAnnotation() {
    exists(FieldRead fr |
      this.getValue("value") = fr and
-      fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and
+      fr.getField()
+          .getType()
+          .(RefType)
+          .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and
      fr.getField().getName() = "REQUIRES_NEW"
    )
  }
@@ -999,7 +1025,9 @@ TransactionAttributeAnnotation getInnermostTransactionAttributeAnnotation(Method
 */
 class SetRollbackOnlyMethod extends Method {
  SetRollbackOnlyMethod() {
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.ejb", "EJBContext") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBContext") and
    this.getName() = "setRollbackOnly" and
    this.hasNoParameters()
  }
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll
@@ -159,8 +159,8 @@ class GraphicsPackage extends Package {
  GraphicsPackage() {
    this.getName() = "java.awt" or
    this.getName().matches("java.awt.%") or
-    this.getName() = "javax.swing" or
-    this.getName().matches("javax.swing.%")
+    this.getName() = javaxOrJakarta() + ".swing" or
+    this.getName().matches(javaxOrJakarta() + ".swing.%")
  }
 }

--- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll
@@ -9,7 +9,7 @@ import default
 */
 class FacesManagedBeanAnnotation extends Annotation {
  FacesManagedBeanAnnotation() {
-    this.getType().hasQualifiedName("javax.faces.bean", "ManagedBean")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.bean", "ManagedBean")
  }

  /**
@@ -25,7 +25,7 @@ class FacesManagedBeanAnnotation extends Annotation {
 */
 class FacesComponentAnnotation extends Annotation {
  FacesComponentAnnotation() {
-    this.getType().hasQualifiedName("javax.faces.component", "FacesComponent")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.component", "FacesComponent")
  }

  /**
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll
@@ -8,9 +8,7 @@ import java
 * The JSF class `FacesContext` for processing HTTP requests.
 */
 class FacesContext extends RefType {
-  FacesContext() {
-    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "FacesContext")
-  }
+  FacesContext() { this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "FacesContext") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll
@@ -14,7 +14,7 @@ import SpringComponentScan
 predicate hasInjectAnnotation(Annotatable a) {
  a.hasAnnotation("org.springframework.beans.factory.annotation", "Autowired") or
  a.getAnAnnotation() instanceof SpringResourceAnnotation or
-  a.hasAnnotation("javax.inject", "Inject")
+  a.hasAnnotation(javaxOrJakarta() + ".inject", "Inject")
 }

 /**
@@ -292,7 +292,7 @@ class SpringBeanAutowiredField extends Field {
 class SpringQualifierAnnotationType extends AnnotationType {
  SpringQualifierAnnotationType() {
    this.hasQualifiedName("org.springframework.beans.factory.annotation", "Qualifier") or
-    this.hasQualifiedName("javax.inject", "Qualifier") or
+    this.hasQualifiedName(javaxOrJakarta() + ".inject", "Qualifier") or
    this.getAnAnnotation().getType() instanceof SpringQualifierAnnotationType
  }
 }
@@ -340,7 +340,9 @@ class SpringQualifierAnnotation extends Annotation {
 * autowired by Spring, and can optionally specify a qualifier in the "name".
 */
 class SpringResourceAnnotation extends Annotation {
-  SpringResourceAnnotation() { this.getType().hasQualifiedName("javax.inject", "Resource") }
+  SpringResourceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".inject", "Resource")
+  }

  /**
   * Gets the specified name value, if any.
--- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll
@@ -210,10 +210,22 @@ class SpringRequestMappingParameter extends Parameter {
  predicate isNotDirectlyTaintedInput() {
    this.getType().(RefType).getAnAncestor() instanceof SpringWebRequest or
    this.getType().(RefType).getAnAncestor() instanceof SpringNativeWebRequest or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletRequest") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletResponse") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "HttpSession") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "PushBuilder") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "PushBuilder") or
    this.getType().(RefType).getAnAncestor().hasQualifiedName("java.security", "Principal") or
    this.getType()
        .(RefType)
--- a/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll
@@ -23,7 +23,9 @@ private class CookieCleartextStorageSink extends CleartextStorageSink {
 /** The instantiation of a cookie, which can act as storage. */
 class Cookie extends Storable, ClassInstanceExpr {
  Cookie() {
-    this.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie")
+    this.getConstructor()
+        .getDeclaringType()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie")
  }

  /** Gets an input, for example `input` in `new Cookie("...", input);`. */
@@ -42,7 +44,8 @@ private predicate cookieStore(DataFlow::Node cookie, Expr store) {
  exists(MethodCall m, Method def |
    m.getMethod() = def and
    def.getName() = "addCookie" and
-    def.getDeclaringType().hasQualifiedName("javax.servlet.http", "HttpServletResponse") and
+    def.getDeclaringType()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletResponse") and
    store = m and
    cookie.asExpr() = m.getAnArgument()
  )
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -9,6 +9,7 @@ import java
 class SslClass extends RefType {
  SslClass() {
    exists(Class c | this.getAnAncestor() = c |
+      // Note there are no jakarta equivalents of these classes.
      c.hasQualifiedName("javax.net.ssl", _) or
      c.hasQualifiedName("javax.rmi.ssl", _)
    )
--- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll
@@ -25,7 +25,7 @@ class SetMessageInterpolatorCall extends MethodCall {
      this.getMethod() = m and
      m.getDeclaringType().getASourceSupertype*() = t and
      (
-        t.hasQualifiedName("javax.validation", ["Configuration", "ValidatorContext"]) and
+        t.hasQualifiedName(javaxOrJakarta() + ".validation", ["Configuration", "ValidatorContext"]) and
        m.getName() = "messageInterpolator"
        or
        t.hasQualifiedName("org.springframework.validation.beanvalidation",
--- a/java/ql/lib/semmle/code/java/security/XSS.qll
+++ b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -127,7 +127,7 @@ class XssVulnerableWriterSource extends MethodCall {
    )
    or
    exists(Method m | m = this.getMethod() |
-      m.hasQualifiedName("javax.servlet.jsp", "JspContext", "getOut")
+      m.hasQualifiedName(javaxOrJakarta() + ".servlet.jsp", "JspContext", "getOut")
    )
    or
    this.getMethod() instanceof FacesGetResponseWriterMethod
--- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll
+++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll
@@ -62,12 +62,14 @@ abstract class ParserConfig extends MethodCall {

 /** The class `javax.xml.parsers.DocumentBuilderFactory`. */
 class DocumentBuilderFactory extends RefType {
-  DocumentBuilderFactory() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilderFactory") }
+  DocumentBuilderFactory() {
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilderFactory")
+  }
 }

 /** The class `javax.xml.parsers.DocumentBuilder`. */
 class DocumentBuilder extends RefType {
-  DocumentBuilder() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilder") }
+  DocumentBuilder() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilder") }
 }

 /** A call to `DocumentBuilder.parse`. */
@@ -174,7 +176,7 @@ class SafeDocumentBuilder extends DocumentBuilderConstruction {

 /** The class `javax.xml.stream.XMLInputFactory`. */
 class XmlInputFactory extends RefType {
-  XmlInputFactory() { this.hasQualifiedName("javax.xml.stream", "XMLInputFactory") }
+  XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") }
 }

 /** A call to `XMLInputFactory.createXMLStreamReader`. */
@@ -243,7 +245,8 @@ class XmlInputFactoryConfig extends ParserConfig {
 * An `XmlInputFactory` specific expression that indicates whether parsing external entities is supported.
 */
 Expr configOptionIsSupportingExternalEntities() {
-  result.(ConstantStringExpr).getStringValue() = "javax.xml.stream.isSupportingExternalEntities"
+  result.(ConstantStringExpr).getStringValue() =
+    javaxOrJakarta() + ".xml.stream.isSupportingExternalEntities"
  or
  exists(Field f |
    result = f.getAnAccess() and
@@ -256,7 +259,7 @@ Expr configOptionIsSupportingExternalEntities() {
 * An `XmlInputFactory` specific expression that indicates whether DTD is supported.
 */
 Expr configOptionSupportDtd() {
-  result.(ConstantStringExpr).getStringValue() = "javax.xml.stream.supportDTD"
+  result.(ConstantStringExpr).getStringValue() = javaxOrJakarta() + ".xml.stream.supportDTD"
  or
  exists(Field f |
    result = f.getAnAccess() and
@@ -357,12 +360,14 @@ class SafeSaxBuilder extends VarAccess {
 * The class `javax.xml.parsers.SAXParser`.
 */
 class SaxParser extends RefType {
-  SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
+  SaxParser() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "SAXParser") }
 }

 /** The class `javax.xml.parsers.SAXParserFactory`. */
 class SaxParserFactory extends RefType {
-  SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
+  SaxParserFactory() {
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "SAXParserFactory")
+  }
 }

 /** A call to `SAXParser.parse`. */
@@ -635,7 +640,7 @@ class CreatedSafeXmlReader extends Call {

 /** The class `javax.xml.transform.sax.SAXSource` */
 class SaxSource extends RefType {
-  SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
+  SaxSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXSource") }
 }

 /** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */
@@ -697,7 +702,7 @@ abstract class TransformerConfig extends MethodCall {

 /** The class `javax.xml.XMLConstants`. */
 class XmlConstants extends RefType {
-  XmlConstants() { this.hasQualifiedName("javax.xml", "XMLConstants") }
+  XmlConstants() { this.hasQualifiedName(javaxOrJakarta() + ".xml", "XMLConstants") }
 }

 /** A configuration specific for transformers and schema. */
@@ -739,14 +744,14 @@ Expr configAccessExternalSchema() {
 /** The class `javax.xml.transform.TransformerFactory` or `javax.xml.transform.sax.SAXTransformerFactory`. */
 class TransformerFactory extends RefType {
  TransformerFactory() {
-    this.hasQualifiedName("javax.xml.transform", "TransformerFactory") or
-    this.hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory")
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "TransformerFactory") or
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXTransformerFactory")
  }
 }

 /** The class `javax.xml.transform.Transformer`. */
 class Transformer extends RefType {
-  Transformer() { this.hasQualifiedName("javax.xml.transform", "Transformer") }
+  Transformer() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "Transformer") }
 }

 /** A call to `Transformer.transform`. */
@@ -843,7 +848,8 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
  SaxTransformerFactoryNewXmlFilter() {
    exists(Method m |
      this.getMethod() = m and
-      m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and
+      m.getDeclaringType()
+          .hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXTransformerFactory") and
      m.hasName("newXMLFilter")
    )
  }
@@ -858,7 +864,7 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
 /* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */
 /** The class `javax.xml.validation.SchemaFactory`. */
 class SchemaFactory extends RefType {
-  SchemaFactory() { this.hasQualifiedName("javax.xml.validation", "SchemaFactory") }
+  SchemaFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.validation", "SchemaFactory") }
 }

 /** A `ParserConfig` specific to `SchemaFactory`. */
@@ -913,7 +919,7 @@ class SafeSchemaFactory extends VarAccess {
 /* Unmarshaller: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller */
 /** The class `javax.xml.bind.Unmarshaller`. */
 class XmlUnmarshaller extends RefType {
-  XmlUnmarshaller() { this.hasQualifiedName("javax.xml.bind", "Unmarshaller") }
+  XmlUnmarshaller() { this.hasQualifiedName(javaxOrJakarta() + ".xml.bind", "Unmarshaller") }
 }

 /** A call to `Unmarshaller.unmarshal`. */
@@ -934,12 +940,12 @@ class XmlUnmarshal extends XmlParserCall {
 /* XPathExpression: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression */
 /** The interface `javax.xml.xpath.XPathExpression`. */
 class XPathExpression extends Interface {
-  XPathExpression() { this.hasQualifiedName("javax.xml.xpath", "XPathExpression") }
+  XPathExpression() { this.hasQualifiedName(javaxOrJakarta() + ".xml.xpath", "XPathExpression") }
 }

 /** The interface `java.xml.xpath.XPath`. */
 class XPath extends Interface {
-  XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
+  XPath() { this.hasQualifiedName(javaxOrJakarta() + ".xml.xpath", "XPath") }
 }

 /** A call to the method `evaluate` of the classes `XPathExpression` or `XPath`. */
--- a/java/ql/lib/semmle/code/java/security/XsltInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/XsltInjection.qll
@@ -163,17 +163,17 @@ private predicate xsltPackageStep(DataFlow::Node n1, DataFlow::Node n2) {

 /** The class `javax.xml.transform.stax.StAXSource`. */
 private class TypeStAXSource extends Class {
-  TypeStAXSource() { this.hasQualifiedName("javax.xml.transform.stax", "StAXSource") }
+  TypeStAXSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.stax", "StAXSource") }
 }

 /** The class `javax.xml.transform.dom.DOMSource`. */
 private class TypeDomSource extends Class {
-  TypeDomSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") }
+  TypeDomSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.dom", "DOMSource") }
 }

 /** The interface `javax.xml.transform.Templates`. */
 private class TypeTemplates extends Interface {
-  TypeTemplates() { this.hasQualifiedName("javax.xml.transform", "Templates") }
+  TypeTemplates() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "Templates") }
 }

 /** The class `net.sf.saxon.s9api.XsltCompiler`. */
@@ -205,7 +205,7 @@ private class DocumentBuilderParse extends MethodCall {

 /** The class `javax.xml.parsers.DocumentBuilder`. */
 private class DocumentBuilder extends RefType {
-  DocumentBuilder() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilder") }
+  DocumentBuilder() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilder") }
 }

 /** A call to `XMLInputFactory.createXMLStreamReader`. */
@@ -232,5 +232,5 @@ private class XmlInputFactoryEventReader extends MethodCall {

 /** The class `javax.xml.stream.XMLInputFactory`. */
 private class XmlInputFactory extends RefType {
-  XmlInputFactory() { this.hasQualifiedName("javax.xml.stream", "XMLInputFactory") }
+  XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") }
 }
--- a/Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
+++ b/Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
@@ -19,7 +19,7 @@ class Adapter extends Class {
    this.getName().matches("%Adapter") and
    (
      this.getPackage().hasName("java.awt.event") or
-      this.getPackage().hasName("javax.swing.event")
+      this.getPackage().hasName(javaxOrJakarta() + ".swing.event")
    )
  }
 }
--- a/Bugs/Frameworks/Swing/ThreadSafety.ql
+++ b/Bugs/Frameworks/Swing/ThreadSafety.ql
@@ -15,7 +15,12 @@ import java

 from MethodCall ma, Method m, MainMethod main
 where
-  ma.getQualifier().getType().getCompilationUnit().getPackage().getName().matches("javax.swing%") and
+  ma.getQualifier()
+      .getType()
+      .getCompilationUnit()
+      .getPackage()
+      .getName()
+      .matches(javaxOrJakarta() + ".swing%") and
  (
    m.hasName("show") and m.hasNoParameters()
    or
--- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -77,7 +77,9 @@ module MatchesHttpOnlyToRawHeaderFlow = TaintTracking::Global<MatchesHttpOnlyToR

 /** A class descended from `javax.servlet.http.Cookie`. */
 class CookieClass extends RefType {
-  CookieClass() { this.getAnAncestor().hasQualifiedName("javax.servlet.http", "Cookie") }
+  CookieClass() {
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie")
+  }
 }

 /** Holds if `expr` is any boolean-typed expression other than literal `false`. */
@@ -143,7 +145,7 @@ class CookieResponseWithoutHttpOnlySink extends DataFlow::ExprNode {

 /** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
 predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) {
-  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  cie.getConstructedType().hasQualifiedName(javaxOrJakarta() + ".ws.rs.core", "NewCookie") and
  (
    cie.getNumArgument() = 6 and
    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -27,7 +27,7 @@ class SocketFactoryType extends RefType {
  SocketFactoryType() {
    this.hasQualifiedName("java.rmi.server", "RMIServerSocketFactory") or
    this.hasQualifiedName("java.rmi.server", "RMIClientSocketFactory") or
-    this.hasQualifiedName("javax.net", "SocketFactory") or
+    this.hasQualifiedName(javaxOrJakarta() + ".net", "SocketFactory") or
    this.hasQualifiedName("java.net", "SocketImplFactory")
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -89,7 +89,7 @@ private class TaintPropagatingCall extends Call {
 }

 private class JakartaType extends RefType {
-  JakartaType() { this.getPackage().hasName(["javax.el", "jakarta.el"]) }
+  JakartaType() { this.getPackage().hasName(javaxOrJakarta() + ".el") }
 }

 private class ELProcessor extends JakartaType {
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -19,13 +19,19 @@ import ScriptInjectionFlow::PathGraph
 /** A method of ScriptEngine that allows code injection. */
 class ScriptEngineMethod extends Method {
  ScriptEngineMethod() {
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngine") and
    this.hasName("eval")
    or
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "Compilable") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "Compilable") and
    this.hasName("compile")
    or
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngineFactory") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngineFactory") and
    this.hasName(["getProgram", "getMethodCallSyntax"])
  }
 }
@@ -78,7 +84,10 @@ class RhinoDefineClassMethod extends Method {
 predicate isScriptArgument(MethodCall ma, Expr sink) {
  exists(ScriptEngineMethod m |
    m = ma.getMethod() and
-    if m.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngineFactory")
+    if
+      m.getDeclaringType()
+          .getAnAncestor()
+          .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngineFactory")
    then sink = ma.getArgument(_) // all arguments allow script injection
    else sink = ma.getArgument(0)
  )
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
@@ -26,7 +26,7 @@ class PortletRenderRequestMethod extends Method {
  PortletRenderRequestMethod() {
    exists(RefType c, Interface t |
      c.extendsOrImplements*(t) and
-      t.hasQualifiedName("javax.portlet", "RenderState") and
+      t.hasQualifiedName(javaxOrJakarta() + ".portlet", "RenderState") and
      this = c.getAMethod()
    |
      this.hasName([
--- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
@@ -21,7 +21,7 @@ abstract private class ProduceCryptoCall extends MethodCall {
 /** A method call that produces a MAC. */
 private class ProduceMacCall extends ProduceCryptoCall {
  ProduceMacCall() {
-    this.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
+    this.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and
    (
      this.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
      or
@@ -53,7 +53,7 @@ private class ProduceSignatureCall extends ProduceCryptoCall {
 private module InitializeEncryptorConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    exists(MethodCall ma |
-      ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "init") and
+      ma.getMethod().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init") and
      ma.getArgument(0).(VarAccess).getVariable().hasName("ENCRYPT_MODE") and
      ma.getQualifier() = source.asExpr()
    )
@@ -61,7 +61,7 @@ private module InitializeEncryptorConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) {
    exists(MethodCall ma |
-      ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "doFinal") and
+      ma.getMethod().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "doFinal") and
      ma.getQualifier() = sink.asExpr()
    )
  }
@@ -73,7 +73,7 @@ private module InitializeEncryptorFlow = DataFlow::Global<InitializeEncryptorCon
 private class ProduceCiphertextCall extends ProduceCryptoCall {
  ProduceCiphertextCall() {
    exists(Method m | m = this.getMethod() |
-      m.getDeclaringType().hasQualifiedName("javax.crypto", "Cipher") and
+      m.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher") and
      (
        m.hasStringSignature(["doFinal()", "doFinal(byte[])", "doFinal(byte[], int, int)"]) and
        this = output
@@ -104,9 +104,9 @@ private predicate updateCryptoOperationStep(DataFlow::Node fromNode, DataFlow::N
  |
    m.hasQualifiedName("java.security", "Signature", "update")
    or
-    m.hasQualifiedName("javax.crypto", ["Mac", "Cipher"], "update")
+    m.hasQualifiedName(javaxOrJakarta() + ".crypto", ["Mac", "Cipher"], "update")
    or
-    m.hasQualifiedName("javax.crypto", ["Mac", "Cipher"], "doFinal") and
+    m.hasQualifiedName(javaxOrJakarta() + ".crypto", ["Mac", "Cipher"], "doFinal") and
    not m.hasStringSignature("doFinal(byte[], int)")
  )
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
@@ -95,5 +95,5 @@ class UnsafeTlsVersion extends StringLiteral {
 }

 class SslServerSocket extends RefType {
-  SslServerSocket() { this.hasQualifiedName("javax.net.ssl", "SSLServerSocket") }
+  SslServerSocket() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLServerSocket") }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
@@ -21,11 +21,11 @@ class GetInitParameter extends Method {
    (
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName(["javax.servlet", "jakarta.servlet"],
+          .hasQualifiedName(javaxOrJakarta() + ".servlet",
            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+          .hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext")
    ) and
    this.getName() = "getInitParameter"
  }
--- a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
@@ -16,7 +16,9 @@ deprecated import TestLib

 /** The java type `javax.servlet.Filter`. */
 class ServletFilterClass extends Class {
-  ServletFilterClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
+  ServletFilterClass() {
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter")
+  }
 }

 /** Listener class in the package `javax.servlet` and `javax.servlet.http` */
@@ -26,7 +28,8 @@ class ServletListenerClass extends Class {
    this.getAnAncestor()
        .getQualifiedName()
        .regexpMatch([
-            "javax\\.servlet\\.[a-zA-Z]+Listener", "javax\\.servlet\\.http\\.[a-zA-Z]+Listener"
+            javaxOrJakarta() + "\\.servlet\\.[a-zA-Z]+Listener",
+            javaxOrJakarta() + "\\.servlet\\.http\\.[a-zA-Z]+Listener"
          ])
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
@@ -38,7 +38,9 @@ private class UrlDispatchSink extends UrlRedirectSink {
 /** The `doFilter` method of `javax.servlet.FilterChain`. */
 private class ServletFilterMethod extends Method {
  ServletFilterMethod() {
-    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.servlet", "FilterChain") and
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "FilterChain") and
    this.hasName("doFilter")
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
@@ -9,7 +9,7 @@ class XQueryParserCall extends MethodCall {
      this.getMethod() = m and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQConnection") and
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQConnection") and
      m.hasName("prepareExpression")
    )
  }
@@ -29,7 +29,7 @@ class XQueryPreparedExecuteCall extends MethodCall {
      m.hasName("executeQuery") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQPreparedExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQPreparedExpression")
    )
  }

@@ -45,7 +45,7 @@ class XQueryExecuteCall extends MethodCall {
      m.hasName("executeQuery") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQExpression")
    )
  }

@@ -61,7 +61,7 @@ class XQueryExecuteCommandCall extends MethodCall {
      m.hasName("executeCommand") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQExpression")
    )
  }

--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
@@ -18,13 +18,15 @@ import semmle.code.java.Maps
 predicate isRmiOrJmxServerCreateConstructor(Constructor constructor) {
  constructor
      .getDeclaringType()
-      .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer")
+      .hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnectorServer")
 }

 /** Holds if `method` creates an RMI or JMX server. */
 predicate isRmiOrJmxServerCreateMethod(Method method) {
  method.getName() = "newJMXConnectorServer" and
-  method.getDeclaringType().hasQualifiedName("javax.management.remote", "JMXConnectorServerFactory")
+  method
+      .getDeclaringType()
+      .hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorServerFactory")
 }

 /**
@@ -59,7 +61,7 @@ module SafeFlowConfig implements DataFlow::ConfigSig {
      put.getKey()
          .(FieldAccess)
          .getField()
-          .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer",
+          .hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnectorServer",
            ["CREDENTIAL_TYPES", "CREDENTIALS_FILTER_PATTERN"])
    |
      put.getQualifier() = qualifier and
--- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -10,7 +10,7 @@ import java
 */
 class ExternalContext extends RefType {
  ExternalContext() {
-    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+    this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext")
  }
 }

--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -26,7 +26,7 @@ predicate isPrimitiveTypeUsedForBulkData(J::Type t) {
 }

 private predicate isInfrequentlyUsed(J::CompilationUnit cu) {
-  cu.getPackage().getName().matches("javax.swing%") or
+  cu.getPackage().getName().matches(javaxOrJakarta() + ".swing%") or
  cu.getPackage().getName().matches("java.awt%")
 }