From 9a94d0474c3fe178747c07f0b97bd74e5a768427 Mon Sep 17 00:00:00 2001 From: Mads Navntoft Date: Mon, 26 Jan 2026 16:09:16 +0100 Subject: [PATCH 1/2] Java: Add support for Struts 7.x package names Updates Struts library to recognize both legacy xwork2 and new struts2 packages: - StrutsActions.qll: Add org.apache.struts2 alternatives for Action, Preparable, ActionSupport - StrutsConventions.qll: Add org.apache.struts2.action.Action alternative This maintains backward compatibility for analyzing Struts 2.x-6.x apps while supporting Struts 7.x which renamed packages from com.opensymphony.xwork2 to org.apache.struts2. --- .../code/java/frameworks/struts/StrutsActions.qll | 11 ++++++++--- .../code/java/frameworks/struts/StrutsConventions.qll | 5 +++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll index 729268d4008a..f5b5e345802a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll @@ -20,7 +20,10 @@ class Struts2ActionClass extends Class { // If there are no XML files present, then we assume we any class that extends a struts 2 // action must be reflectively constructed, as we have no better indication. not exists(XmlFile xmlFile) and - this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") + ( + this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or + this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action") + ) or // If there is a struts.xml file, then any class that is specified as an action is considered // to be reflectively constructed. @@ -78,7 +81,8 @@ class Struts2ActionClass extends Class { * Holds if this action class extends the preparable interface. */ predicate isPreparable() { - this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable") + this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable") or + this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Preparable") } /** @@ -122,7 +126,8 @@ class Struts2PrepareMethod extends Method { */ class Struts2ActionSupportClass extends Class { Struts2ActionSupportClass() { - this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") + this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or + this.getASourceSupertype+().hasQualifiedName("org.apache.struts2", "ActionSupport") } /** diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll index 3e2fd5c0b974..ba70a59df59c 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll @@ -96,7 +96,7 @@ private string getConventionSuffix(RefType refType) { * * The convention plugin identifies as an action class any class that has an ancestor package with * the name "struts", "struts2", "action" or "actions", and either has an indicative suffix on the - * name, or extends com.opensymphony.xwork2.Action. + * name, or extends com.opensymphony.xwork2.Action (Struts 2.x-6.x) or org.apache.struts2.action.Action (Struts 7.x+). */ class Struts2ConventionActionClass extends Class { Struts2ConventionActionClass() { @@ -108,7 +108,8 @@ class Struts2ConventionActionClass extends Class { ) and ( this.getName().matches("%" + getConventionSuffix(this)) or - this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") + this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or + this.getAnAncestor().hasQualifiedName("org.apache.struts2.action", "Action") ) } From ede05b54ea95f73a0336fb59a69a4f949a4e0996 Mon Sep 17 00:00:00 2001 From: Mads Navntoft Date: Tue, 27 Jan 2026 13:00:16 +0100 Subject: [PATCH 2/2] Java: Add change note for Struts 7.x package name support --- java/ql/lib/change-notes/2026-01-27-struts-7-support.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2026-01-27-struts-7-support.md diff --git a/java/ql/lib/change-notes/2026-01-27-struts-7-support.md b/java/ql/lib/change-notes/2026-01-27-struts-7-support.md new file mode 100644 index 000000000000..a94a03567ee2 --- /dev/null +++ b/java/ql/lib/change-notes/2026-01-27-struts-7-support.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy `com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new `org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions.