Merge pull request #21221 from github/navntoft/struts

Java: Add support for Struts 7.x package names
2026-02-12 05:01:06 +01:00 · 2026-01-27 15:53:26 +01:00
parent 46a5035543 ede05b54ea
commit b7125a009e
3 changed files with 15 additions and 5 deletions
--- a/java/ql/lib/change-notes/2026-01-27-struts-7-support.md
+++ b/java/ql/lib/change-notes/2026-01-27-struts-7-support.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy `com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new `org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions.
--- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
@@ -20,7 +20,10 @@ class Struts2ActionClass extends Class {
    // If there are no XML files present, then we assume we any class that extends a struts 2
    // action must be reflectively constructed, as we have no better indication.
    not exists(XmlFile xmlFile) and
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+    (
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action")
+    )
    or
    // If there is a struts.xml file, then any class that is specified as an action is considered
    // to be reflectively constructed.
@@ -78,7 +81,8 @@ class Struts2ActionClass extends Class {
   * Holds if this action class extends the preparable interface.
   */
  predicate isPreparable() {
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable")
+    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable") or
+    this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Preparable")
  }

  /**
@@ -122,7 +126,8 @@ class Struts2PrepareMethod extends Method {
 */
 class Struts2ActionSupportClass extends Class {
  Struts2ActionSupportClass() {
-    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or
+    this.getASourceSupertype+().hasQualifiedName("org.apache.struts2", "ActionSupport")
  }

  /**
--- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
@@ -96,7 +96,7 @@ private string getConventionSuffix(RefType refType) {
 *
 * The convention plugin identifies as an action class any class that has an ancestor package with
 * the name "struts", "struts2", "action" or "actions", and either has an indicative suffix on the
- * name, or extends com.opensymphony.xwork2.Action.
+ * name, or extends com.opensymphony.xwork2.Action (Struts 2.x-6.x) or org.apache.struts2.action.Action (Struts 7.x+).
 */
 class Struts2ConventionActionClass extends Class {
  Struts2ConventionActionClass() {
@@ -108,7 +108,8 @@ class Struts2ConventionActionClass extends Class {
    ) and
    (
      this.getName().matches("%" + getConventionSuffix(this)) or
-      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action")
    )
  }