Only because I wanted to confirm if there was an explanation for it still being distributed first. 😊
From: Geertjan Wielenga <geertjan.wiele...@googlemail.com> Sent: Tuesday, October 10, 2023 2:04 PM To: Dill, Ryan <cd...@ciena.com> Cc: users@netbeans.apache.org Subject: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1? Is there a reason you haven’t provided a pull request for this in the Apache NetBeans GitHub repo? Gj On Tue, 10 Oct 2023 at 19:44, Dill, Ryan <cd...@ciena.com.invalid<mailto:cd...@ciena.com.invalid>> wrote: The latest version of Apache NetBeans (19) still distributes Apache Struts 1: * https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 [github.com]<https://urldefense.com/v3/__https:/github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties*L58__;Iw!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqNLXLfag$> Apache Struts 1 was EOLed a decade ago: * https://struts.apache.org/struts1eol-announcement.html [struts.apache.org]<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-announcement.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgpxIs9uKg$> * https://struts.apache.org/struts1eol-press [struts.apache.org]<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-press__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgriTA0fjQ$> Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since that time would not have been fixed in the version of Struts distributed with modern versions of Apache NetBeans. I don't know if the continued distribution of Struts 1 with NetBeans constitutes an actual vulnerability in NetBeans (since I assume the Struts framework is only provided for users to develop new web applications) -- But the simple presence of the Struts 1 library files in NetBeans installations causes security flags to be raised by third-party security scanning tools that our corporation is using, like Rapid 7 (https://www.rapid7.com/ [rapid7.com]<https://urldefense.com/v3/__https:/www.rapid7.com/__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgodQx0WVQ$>). At the very least, continuing to distribute Struts 1 with NetBeans seems to introduce risk that end-users using NetBeans to develop web applications with Struts (e.g. as per https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html [netbeans.apache.org]<https://urldefense.com/v3/__https:/netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqKGkhuiQ$>) may end up producing a web application with Struts 1 without necessarily know it's EOL, creating more risk in their web application than necessary. Is there a reason that NetBeans is still distributing long-EOLed Struts 1 instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? -- Ryan Dill (he/him) | R&D Tools and Services | Ciena cd...@ciena.com<mailto:cd...@ciena.com> | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada [google.com]<https://urldefense.com/v3/__https:/www.google.com/maps/search/5050*Innovation*Drive**A7C*Kanata,*ON,*K2K*0J2,*Canada?entry=gmail&source=g__;KysrJSsrKysr!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqz4C_noA$>
