The latest version of Apache NetBeans (19) still distributes Apache Struts 1:
* https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 Apache Struts 1 was EOLed a decade ago: * https://struts.apache.org/struts1eol-announcement.html * https://struts.apache.org/struts1eol-press Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since that time would not have been fixed in the version of Struts distributed with modern versions of Apache NetBeans. I don't know if the continued distribution of Struts 1 with NetBeans constitutes an actual vulnerability in NetBeans (since I assume the Struts framework is only provided for users to develop new web applications) -- But the simple presence of the Struts 1 library files in NetBeans installations causes security flags to be raised by third-party security scanning tools that our corporation is using, like Rapid 7 (https://www.rapid7.com/). At the very least, continuing to distribute Struts 1 with NetBeans seems to introduce risk that end-users using NetBeans to develop web applications with Struts (e.g. as per https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end up producing a web application with Struts 1 without necessarily know it's EOL, creating more risk in their web application than necessary. Is there a reason that NetBeans is still distributing long-EOLed Struts 1 instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? -- Ryan Dill (he/him) | R&D Tools and Services | Ciena cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada
