didn't see this mail here, I just replied to it on the users list -
please don't crosspost if possible.
-mbien
On 11.10.23 02:23, Dill, Ryan wrote:
The latest version of Apache NetBeans (19) still distributes Apache Struts 1:
*
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58
Apache Struts 1 was EOLed a decade ago:
* https://struts.apache.org/struts1eol-announcement.html
* https://struts.apache.org/struts1eol-press
Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since
that time would not have been fixed in the version of Struts distributed with
modern versions of Apache NetBeans.
I don't know if the continued distribution of Struts 1 with NetBeans
constitutes an actual vulnerability in NetBeans (since I assume the Struts
framework is only provided for users to develop new web applications) -- But
the simple presence of the Struts 1 library files in NetBeans installations
causes security flags to be raised by third-party security scanning tools that
our corporation is using, like Rapid 7 (https://www.rapid7.com/).
At the very least, continuing to distribute Struts 1 with NetBeans seems to
introduce risk that end-users using NetBeans to develop web applications with
Struts (e.g. as per
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end
up producing a web application with Struts 1 without necessarily know it's EOL,
creating more risk in their web application than necessary.
Is there a reason that NetBeans is still distributing long-EOLed Struts 1
instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?
I originally asked this question at the users list at
[email protected]<mailto:[email protected]>, and was told that the reason
was "because you haven't provided a pull request".
But in the "Committing Code" instructions at
https://netbeans.apache.org/participate/submit-pr.html, it specifically says "Before starting
to code, you may want to discuss the problem in the developer mailing list". Please consider
this to be that discussion.
Just to clarify -- I'm not a NetBeans developer, nor do I know anything at all
about its codebase -- I'm just trying to confirm from more knowledgeable people
what the design intent is -- i.e. Is there a legitimate architectural reason
why Struts 1 is still being distributed.
Thanks.
--
Ryan Dill (he/him) | R&D Tools and Services | Ciena
[email protected] | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
