Java: Add support for Struts 7.x package names

Updates Struts library to recognize both legacy xwork2 and new struts2 packages:
- StrutsActions.qll: Add org.apache.struts2 alternatives for Action, Preparable, ActionSupport
- StrutsConventions.qll: Add ActionSupport ancestry checks for convention plugin detection

This maintains backward compatibility for analyzing Struts 2.x-6.x apps while
supporting Struts 7.x which renamed packages from com.opensymphony.xwork2 to
org.apache.struts2 and removed the Action interface.

Author: navntoft

java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll

@@ -20,7 +20,10 @@ class Struts2ActionClass extends Class {
     // If there are no XML files present, then we assume we any class that extends a struts 2
     // action must be reflectively constructed, as we have no better indication.
     not exists(XmlFile xmlFile) and
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+    (
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Action")
+    )
     or
     // If there is a struts.xml file, then any class that is specified as an action is considered
     // to be reflectively constructed.
@@ -78,7 +81,8 @@ class Struts2ActionClass extends Class {
    * Holds if this action class extends the preparable interface.
    */
   predicate isPreparable() {
-    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable")
+    this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Preparable") or
+    this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Preparable")
   }
 
   /**
@@ -122,7 +126,8 @@ class Struts2PrepareMethod extends Method {
  */
 class Struts2ActionSupportClass extends Class {
   Struts2ActionSupportClass() {
-    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+    this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or
+    this.getASourceSupertype+().hasQualifiedName("org.apache.struts2", "ActionSupport")
   }
 
   /**

java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll

@@ -96,7 +96,7 @@ private string getConventionSuffix(RefType refType) {
  *
  * The convention plugin identifies as an action class any class that has an ancestor package with
  * the name "struts", "struts2", "action" or "actions", and either has an indicative suffix on the
- * name, or extends com.opensymphony.xwork2.Action.
+ * name, or extends com.opensymphony.xwork2.Action (Struts 2.x-6.x) or org.apache.struts2.Action (Struts 7.x+).
  */
 class Struts2ConventionActionClass extends Class {
   Struts2ConventionActionClass() {
@@ -108,7 +108,10 @@ class Struts2ConventionActionClass extends Class {
     ) and
     (
       this.getName().matches("%" + getConventionSuffix(this)) or
-      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action")
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "Action") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2", "Action") or
+      this.getAnAncestor().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or
+      this.getAnAncestor().hasQualifiedName("org.apache.struts2", "ActionSupport")
     )
   }