Is there a reason you haven’t provided a pull request for this in the Apache NetBeans GitHub repo?
Gj On Tue, 10 Oct 2023 at 19:44, Dill, Ryan <cd...@ciena.com.invalid> wrote: > The latest version of Apache NetBeans (19) still distributes Apache Struts > 1: > > > > - > > https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 > > > > Apache Struts 1 was EOLed a decade ago: > > > > - https://struts.apache.org/struts1eol-announcement.html > - https://struts.apache.org/struts1eol-press > > > > Hence, any subsequent bugs or security vulnerabilities found in Struts 1 > since that time would not have been fixed in the version of Struts > distributed with modern versions of Apache NetBeans. > > > > I don't know if the continued distribution of Struts 1 with NetBeans > constitutes an actual vulnerability in *NetBeans* (since I assume the > Struts framework is only provided for users to develop new web > applications) -- But the simple presence of the Struts 1 library files in > NetBeans installations causes security flags to be raised by third-party > security scanning tools that our corporation is using, like Rapid 7 ( > https://www.rapid7.com/). > > > > At the very least, continuing to distribute Struts 1 with NetBeans seems > to introduce risk that end-users using NetBeans to develop web applications > with Struts (e.g. as per > https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) > may end up producing a web application with Struts 1 without necessarily > know it's EOL, creating more risk in their web application than necessary. > > > > Is there a reason that NetBeans is still distributing long-EOLed Struts 1 > instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? > > > > -- > Ryan Dill (he/him) | R&D Tools and Services | Ciena > > cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada > <https://www.google.com/maps/search/5050+Innovation+Drive+%7C+Kanata,+ON,+K2K+0J2,+Canada?entry=gmail&source=g> > > >
