The latest version of Apache NetBeans (19) still distributes Apache Struts 1:
* https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 Apache Struts 1 was EOLed a decade ago: * https://struts.apache.org/struts1eol-announcement.html * https://struts.apache.org/struts1eol-press Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since that time would not have been fixed in the version of Struts distributed with modern versions of Apache NetBeans. I don't know if the continued distribution of Struts 1 with NetBeans constitutes an actual vulnerability in NetBeans (since I assume the Struts framework is only provided for users to develop new web applications) -- But the simple presence of the Struts 1 library files in NetBeans installations causes security flags to be raised by third-party security scanning tools that our corporation is using, like Rapid 7 (https://www.rapid7.com/). At the very least, continuing to distribute Struts 1 with NetBeans seems to introduce risk that end-users using NetBeans to develop web applications with Struts (e.g. as per https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end up producing a web application with Struts 1 without necessarily know it's EOL, creating more risk in their web application than necessary. Is there a reason that NetBeans is still distributing long-EOLed Struts 1 instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? I originally asked this question at the users list at [email protected]<mailto:[email protected]>, and was told that the reason was "because you haven't provided a pull request". But in the "Committing Code" instructions at https://netbeans.apache.org/participate/submit-pr.html, it specifically says "Before starting to code, you may want to discuss the problem in the developer mailing list". Please consider this to be that discussion. Just to clarify -- I'm not a NetBeans developer, nor do I know anything at all about its codebase -- I'm just trying to confirm from more knowledgeable people what the design intent is -- i.e. Is there a legitimate architectural reason why Struts 1 is still being distributed. Thanks. -- Ryan Dill (he/him) | R&D Tools and Services | Ciena [email protected] | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada
