OK, so I tried that and found one library needs to be excluded (from the 
exclusion list) - i.e. scanned
# ls jstl*; grep ".tld" jstl-*
jstl-api-1.2.jar  jstl-impl-1.2.jar
Binary file jstl-impl-1.2.jar matches

So if your rule works, I need jstl-impl to be scanned, but jstl-api could be 
Nice! Thanks.

    On Monday, November 6, 2017 10:54 AM, Mark H. Wood <mw...@iupui.edu> wrote:

 On Mon, Nov 06, 2017 at 10:13:42AM -0500, Christopher Schultz wrote:
> Hash: SHA256
> Ray,
> On 11/6/17 9:48 AM, Ray Holme wrote:
> > I am not the primary developer. I do Java and DB development. I
> > leave the JSP for someone else (I am mostly retired but I have
> > been doing this a LONG time).> But I deal with distributions and
> > builds so I was the one who modified the "not to SCAN"
> > libraries.2.5 minutes down to less than 1 second.
> Fast and broken is worse than slow and working. :)
> > But I blew it with the jstl jars so I just wanted to know if there
> > is any way to find out if the jar is a taglib.
> So... generally speaking I would say "you should know your own
> libraries" but it shouldn't be hard to determine which libraries are
> taglibs. Simply look in each JAR file to see if there are any ".tld"
> files.

That's what I thought, too.  I looked, and the jstl-api JAR doesn't
contain any TLDs.  The corresponding jstl-impl JAR does, though.

Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202


Reply via email to