Hi Dill,
without looking into it, its likely lib wrapper modules for ant
projects, so that ant projects can depend on libs without having to
setup repositories. Those wrappers can be also updated or replaced by
the user and work like a local repository. (you can see the list via
tools -> libraries)
That sounded like a useful thing to have back when maven didn't exist
yet and back when many projects copied dependency jars into their lib
folders without real dependency management.
There are also old versions of spring bundled which can be removed (or
updated if they are still supported).
Everything unsupported should be removed, things which are still
supported updated. I don't think we should add new libs, lets let that
mechanism fade out.
feel free to open PRs - would be good to clean that area up,
-mbien
On 10.10.23 20:09, Dill, Ryan wrote:
Only because I wanted to confirm if there was an explanation for it
still being distributed first. 😊
*From:* Geertjan Wielenga <geertjan.wiele...@googlemail.com>
*Sent:* Tuesday, October 10, 2023 2:04 PM
*To:* Dill, Ryan <cd...@ciena.com>
*Cc:* users@netbeans.apache.org
*Subject:* [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?
Is there a reason you haven’t provided a pull request for this in the
Apache NetBeans GitHub repo?
Gj
On Tue, 10 Oct 2023 at 19:44, Dill, Ryan <cd...@ciena.com.invalid> wrote:
The latest version of Apache NetBeans (19) still distributes
Apache Struts 1:
*
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58
[github.com]
<https://urldefense.com/v3/__https:/github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties*L58__;Iw!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqNLXLfag$>
Apache Struts 1 was EOLed a decade ago:
* https://struts.apache.org/struts1eol-announcement.html
[struts.apache.org]
<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-announcement.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgpxIs9uKg$>
* https://struts.apache.org/struts1eol-press [struts.apache.org]
<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-press__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgriTA0fjQ$>
Hence, any subsequent bugs or security vulnerabilities found in
Struts 1 since that time would not have been fixed in the version
of Struts distributed with modern versions of Apache NetBeans.
I don't know if the continued distribution of Struts 1 with
NetBeans constitutes an actual vulnerability in *NetBeans* (since
I assume the Struts framework is only provided for users to
develop new web applications) -- But the simple presence of the
Struts 1 library files in NetBeans installations causes security
flags to be raised by third-party security scanning tools that our
corporation is using, like Rapid 7 (https://www.rapid7.com/
[rapid7.com]
<https://urldefense.com/v3/__https:/www.rapid7.com/__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgodQx0WVQ$>).
At the very least, continuing to distribute Struts 1 with NetBeans
seems to introduce risk that end-users using NetBeans to develop
web applications with Struts (e.g. as per
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html
[netbeans.apache.org]
<https://urldefense.com/v3/__https:/netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqKGkhuiQ$>)
may end up producing a web application with Struts 1 without
necessarily know it's EOL, creating more risk in their web
application than necessary.
Is there a reason that NetBeans is still distributing long-EOLed
Struts 1 instead of something more modern (e.g. Struts 2.5.x, or
even Struts 6.x)?
--
Ryan Dill (he/him) | R&D Tools and Services | Ciena
cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2,
Canada [google.com]
<https://urldefense.com/v3/__https:/www.google.com/maps/search/5050*Innovation*Drive**A7C*Kanata,*ON,*K2K*0J2,*Canada?entry=gmail&source=g__;KysrJSsrKysr!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqz4C_noA$>
