Hello Randall, If it's for a single plugin, the easiest way is to use `mvn dependency:tree` to check if you are using Struts or not. Usually if you include Struts indirectly (through transitive dependencies) there is low likelihood that you are effectively using it. Most of the Jenkins plugins are using only Stapler for their HTTP request handling, without any other framework (like Struts).
If you want to know about an instance of Jenkins with its plugins, I would recommend to use a regular security scanner (SCA) to see if they are finding anything there. Now, if you are not sure, you can still contact the security team, but I will ask you to provide more details, like which plugin, which CVE, and your doubts. Best regards, Wadeck Follonier Jenkins Security officer On Thursday, December 21, 2023 at 7:12:21 PM UTC+1 [email protected] wrote: > My unofficial answer: Jenkins uses Stapler as its web framework (not > Struts), so I strongly suspect there are zero Jenkins plugins > distributed on our Update Center that bundle Struts 2 or 3. For an > official answer, contact the Security Team at: > > https://www.jenkins.io/security/team/ > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e1eb3d9b-ead5-48a8-95c5-8ec83bcafaean%40googlegroups.com.
