Replace "javax" with javaxOrJakarta()

This is just a find-replace of `"javax` with `javaxOrJakarta() + "`.
2026-04-24 08:15:14 +02:00 · 2026-02-12 12:21:04 +00:00
parent 149f3ed5b6
commit a5e6f6daf9
45 changed files with 370 additions and 218 deletions
--- a/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql
+++ b/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql
@@ -115,8 +115,8 @@ predicate jdkPackage(Package p) {
  |
    pkgName =
      [
-        "com.sun", "sun", "java", "javax", "com.oracle.net", "genstubs", "jdk", "build.tools",
-        "org.omg.CORBA", "org.ietf.jgss"
+        "com.sun", "sun", "java", javaxOrJakarta() + "", "com.oracle.net", "genstubs", "jdk",
+        "build.tools", "org.omg.CORBA", "org.ietf.jgss"
      ]
  )
 }
--- a/Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
+++ b/Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
@@ -19,7 +19,7 @@ class Adapter extends Class {
    this.getName().matches("%Adapter") and
    (
      this.getPackage().hasName("java.awt.event") or
-      this.getPackage().hasName("javax.swing.event")
+      this.getPackage().hasName(javaxOrJakarta() + ".swing.event")
    )
  }
 }
--- a/Bugs/Frameworks/Swing/ThreadSafety.ql
+++ b/Bugs/Frameworks/Swing/ThreadSafety.ql
@@ -15,7 +15,12 @@ import java

 from MethodCall ma, Method m, MainMethod main
 where
-  ma.getQualifier().getType().getCompilationUnit().getPackage().getName().matches("javax.swing%") and
+  ma.getQualifier()
+      .getType()
+      .getCompilationUnit()
+      .getPackage()
+      .getName()
+      .matches(javaxOrJakarta() + ".swing%") and
  (
    m.hasName("show") and m.hasNoParameters()
    or
--- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -77,7 +77,9 @@ module MatchesHttpOnlyToRawHeaderFlow = TaintTracking::Global<MatchesHttpOnlyToR

 /** A class descended from `javax.servlet.http.Cookie`. */
 class CookieClass extends RefType {
-  CookieClass() { this.getAnAncestor().hasQualifiedName("javax.servlet.http", "Cookie") }
+  CookieClass() {
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie")
+  }
 }

 /** Holds if `expr` is any boolean-typed expression other than literal `false`. */
@@ -143,7 +145,8 @@ class CookieResponseWithoutHttpOnlySink extends DataFlow::ExprNode {

 /** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
 predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) {
-  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  cie.getConstructedType()
+      .hasQualifiedName([javaxOrJakarta() + ".ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
  (
    cie.getNumArgument() = 6 and
    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -27,7 +27,7 @@ class SocketFactoryType extends RefType {
  SocketFactoryType() {
    this.hasQualifiedName("java.rmi.server", "RMIServerSocketFactory") or
    this.hasQualifiedName("java.rmi.server", "RMIClientSocketFactory") or
-    this.hasQualifiedName("javax.net", "SocketFactory") or
+    this.hasQualifiedName(javaxOrJakarta() + ".net", "SocketFactory") or
    this.hasQualifiedName("java.net", "SocketImplFactory")
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -89,7 +89,7 @@ private class TaintPropagatingCall extends Call {
 }

 private class JakartaType extends RefType {
-  JakartaType() { this.getPackage().hasName(["javax.el", "jakarta.el"]) }
+  JakartaType() { this.getPackage().hasName([javaxOrJakarta() + ".el", "jakarta.el"]) }
 }

 private class ELProcessor extends JakartaType {
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -19,13 +19,19 @@ import ScriptInjectionFlow::PathGraph
 /** A method of ScriptEngine that allows code injection. */
 class ScriptEngineMethod extends Method {
  ScriptEngineMethod() {
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngine") and
    this.hasName("eval")
    or
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "Compilable") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "Compilable") and
    this.hasName("compile")
    or
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngineFactory") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngineFactory") and
    this.hasName(["getProgram", "getMethodCallSyntax"])
  }
 }
@@ -78,7 +84,10 @@ class RhinoDefineClassMethod extends Method {
 predicate isScriptArgument(MethodCall ma, Expr sink) {
  exists(ScriptEngineMethod m |
    m = ma.getMethod() and
-    if m.getDeclaringType().getAnAncestor().hasQualifiedName("javax.script", "ScriptEngineFactory")
+    if
+      m.getDeclaringType()
+          .getAnAncestor()
+          .hasQualifiedName(javaxOrJakarta() + ".script", "ScriptEngineFactory")
    then sink = ma.getArgument(_) // all arguments allow script injection
    else sink = ma.getArgument(0)
  )
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
@@ -26,7 +26,7 @@ class PortletRenderRequestMethod extends Method {
  PortletRenderRequestMethod() {
    exists(RefType c, Interface t |
      c.extendsOrImplements*(t) and
-      t.hasQualifiedName("javax.portlet", "RenderState") and
+      t.hasQualifiedName(javaxOrJakarta() + ".portlet", "RenderState") and
      this = c.getAMethod()
    |
      this.hasName([
--- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
@@ -21,7 +21,7 @@ abstract private class ProduceCryptoCall extends MethodCall {
 /** A method call that produces a MAC. */
 private class ProduceMacCall extends ProduceCryptoCall {
  ProduceMacCall() {
-    this.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
+    this.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and
    (
      this.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
      or
@@ -53,7 +53,7 @@ private class ProduceSignatureCall extends ProduceCryptoCall {
 private module InitializeEncryptorConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    exists(MethodCall ma |
-      ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "init") and
+      ma.getMethod().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init") and
      ma.getArgument(0).(VarAccess).getVariable().hasName("ENCRYPT_MODE") and
      ma.getQualifier() = source.asExpr()
    )
@@ -61,7 +61,7 @@ private module InitializeEncryptorConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) {
    exists(MethodCall ma |
-      ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "doFinal") and
+      ma.getMethod().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "doFinal") and
      ma.getQualifier() = sink.asExpr()
    )
  }
@@ -73,7 +73,7 @@ private module InitializeEncryptorFlow = DataFlow::Global<InitializeEncryptorCon
 private class ProduceCiphertextCall extends ProduceCryptoCall {
  ProduceCiphertextCall() {
    exists(Method m | m = this.getMethod() |
-      m.getDeclaringType().hasQualifiedName("javax.crypto", "Cipher") and
+      m.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher") and
      (
        m.hasStringSignature(["doFinal()", "doFinal(byte[])", "doFinal(byte[], int, int)"]) and
        this = output
@@ -104,9 +104,9 @@ private predicate updateCryptoOperationStep(DataFlow::Node fromNode, DataFlow::N
  |
    m.hasQualifiedName("java.security", "Signature", "update")
    or
-    m.hasQualifiedName("javax.crypto", ["Mac", "Cipher"], "update")
+    m.hasQualifiedName(javaxOrJakarta() + ".crypto", ["Mac", "Cipher"], "update")
    or
-    m.hasQualifiedName("javax.crypto", ["Mac", "Cipher"], "doFinal") and
+    m.hasQualifiedName(javaxOrJakarta() + ".crypto", ["Mac", "Cipher"], "doFinal") and
    not m.hasStringSignature("doFinal(byte[], int)")
  )
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
@@ -95,5 +95,5 @@ class UnsafeTlsVersion extends StringLiteral {
 }

 class SslServerSocket extends RefType {
-  SslServerSocket() { this.hasQualifiedName("javax.net.ssl", "SSLServerSocket") }
+  SslServerSocket() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLServerSocket") }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
@@ -21,11 +21,12 @@ class GetInitParameter extends Method {
    (
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName(["javax.servlet", "jakarta.servlet"],
+          .hasQualifiedName([javaxOrJakarta() + ".servlet", "jakarta.servlet"],
            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
      this.getDeclaringType()
          .getAnAncestor()
-          .hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+          .hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"],
+            "ExternalContext")
    ) and
    this.getName() = "getInitParameter"
  }
--- a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
@@ -16,7 +16,9 @@ deprecated import TestLib

 /** The java type `javax.servlet.Filter`. */
 class ServletFilterClass extends Class {
-  ServletFilterClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
+  ServletFilterClass() {
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter")
+  }
 }

 /** Listener class in the package `javax.servlet` and `javax.servlet.http` */
@@ -26,7 +28,8 @@ class ServletListenerClass extends Class {
    this.getAnAncestor()
        .getQualifiedName()
        .regexpMatch([
-            "javax\\.servlet\\.[a-zA-Z]+Listener", "javax\\.servlet\\.http\\.[a-zA-Z]+Listener"
+            javaxOrJakarta() + "\\.servlet\\.[a-zA-Z]+Listener",
+            javaxOrJakarta() + "\\.servlet\\.http\\.[a-zA-Z]+Listener"
          ])
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
@@ -38,7 +38,9 @@ private class UrlDispatchSink extends UrlRedirectSink {
 /** The `doFilter` method of `javax.servlet.FilterChain`. */
 private class ServletFilterMethod extends Method {
  ServletFilterMethod() {
-    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.servlet", "FilterChain") and
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "FilterChain") and
    this.hasName("doFilter")
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
@@ -9,7 +9,7 @@ class XQueryParserCall extends MethodCall {
      this.getMethod() = m and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQConnection") and
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQConnection") and
      m.hasName("prepareExpression")
    )
  }
@@ -29,7 +29,7 @@ class XQueryPreparedExecuteCall extends MethodCall {
      m.hasName("executeQuery") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQPreparedExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQPreparedExpression")
    )
  }

@@ -45,7 +45,7 @@ class XQueryExecuteCall extends MethodCall {
      m.hasName("executeQuery") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQExpression")
    )
  }

@@ -61,7 +61,7 @@ class XQueryExecuteCommandCall extends MethodCall {
      m.hasName("executeCommand") and
      m.getDeclaringType()
          .getASourceSupertype*()
-          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+          .hasQualifiedName(javaxOrJakarta() + ".xml.xquery", "XQExpression")
    )
  }

--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
@@ -18,13 +18,15 @@ import semmle.code.java.Maps
 predicate isRmiOrJmxServerCreateConstructor(Constructor constructor) {
  constructor
      .getDeclaringType()
-      .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer")
+      .hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnectorServer")
 }

 /** Holds if `method` creates an RMI or JMX server. */
 predicate isRmiOrJmxServerCreateMethod(Method method) {
  method.getName() = "newJMXConnectorServer" and
-  method.getDeclaringType().hasQualifiedName("javax.management.remote", "JMXConnectorServerFactory")
+  method
+      .getDeclaringType()
+      .hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorServerFactory")
 }

 /**
@@ -59,7 +61,7 @@ module SafeFlowConfig implements DataFlow::ConfigSig {
      put.getKey()
          .(FieldAccess)
          .getField()
-          .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer",
+          .hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnectorServer",
            ["CREDENTIAL_TYPES", "CREDENTIALS_FILTER_PATTERN"])
    |
      put.getQualifier() = qualifier and
--- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -10,7 +10,8 @@ import java
 */
 class ExternalContext extends RefType {
  ExternalContext() {
-    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+    this.hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"],
+      "ExternalContext")
  }
 }

--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -26,7 +26,7 @@ predicate isPrimitiveTypeUsedForBulkData(J::Type t) {
 }

 private predicate isInfrequentlyUsed(J::CompilationUnit cu) {
-  cu.getPackage().getName().matches("javax.swing%") or
+  cu.getPackage().getName().matches(javaxOrJakarta() + ".swing%") or
  cu.getPackage().getName().matches("java.awt%")
 }