Java: Add support for Struts 7.x package names

Updates Struts library to recognize both legacy xwork2 and new struts2 packages: - StrutsActions.qll: Add org.apache.struts2 alternatives for Action, Preparable, ActionSupport - StrutsConventions.qll: Add org.apache.struts2.action.Action alternative This maintains backward compatibility for analyzing Struts 2.x-6.x apps while supporting Struts 7.x which renamed packages from com.opensymphony.xwork2 to org.apache.struts2.
2026-02-11 20:51:06 +01:00 · 2026-01-26 16:09:16 +01:00
parent fbcb65a5d9
commit 9a94d0474c
2 changed files with 11 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
@@ -20,7 +20,10 @@ class Struts2ActionClass extends Class {
    // If there are no XML files present, then we assume we any class that extends a struts 2
    // action must be reflectively constructed, as we have no better indication.
    not exists(XmlFile xmlFile) and
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+    (
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action")
+    )
    or
    // If there is a struts.xml file, then any class that is specified as an action is considered
    // to be reflectively constructed.
@@ -78,7 +81,8 @@ class Struts2ActionClass extends Class {
   * Holds if this action class extends the preparable interface.
   */
  predicate isPreparable() {
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable")
+    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable") or
+    this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Preparable")
  }

  /**
@@ -122,7 +126,8 @@ class Struts2PrepareMethod extends Method {
 */
 class Struts2ActionSupportClass extends Class {
  Struts2ActionSupportClass() {
-    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or
+    this.getASourceSupertype+().hasQualifiedName("org.apache.struts2", "ActionSupport")
  }

  /**
--- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
@@ -96,7 +96,7 @@ private string getConventionSuffix(RefType refType) {
 *
 * The convention plugin identifies as an action class any class that has an ancestor package with
 * the name "struts", "struts2", "action" or "actions", and either has an indicative suffix on the
- * name, or extends com.opensymphony.xwork2.Action.
+ * name, or extends com.opensymphony.xwork2.Action (Struts 2.x-6.x) or org.apache.struts2.action.Action (Struts 7.x+).
 */
 class Struts2ConventionActionClass extends Class {
  Struts2ConventionActionClass() {
@@ -108,7 +108,8 @@ class Struts2ConventionActionClass extends Class {
    ) and
    (
      this.getName().matches("%" + getConventionSuffix(this)) or
-      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action")
    )
  }