Re: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?

[Michael Bien]

Hi Dill,

without looking into it, its likely lib wrapper modules for ant 
projects, so that ant projects can depend on libs without having to 
setup repositories. Those wrappers can be also updated or replaced by 
the user and work like a local repository. (you can see the list via 
tools -> libraries)


That sounded like a useful thing to have back when maven didn't exist 
yet and back when many projects copied dependency jars into their lib 
folders without real dependency management.


There are also old versions of spring bundled which can be removed (or 
updated if they are still supported).


Everything unsupported should be removed, things which are still 
supported updated. I don't think we should add new libs, lets let that 
mechanism fade out.


feel free to open PRs - would be good to clean that area up,

-mbien


On 10.10.23 20:09, Dill, Ryan wrote:


Only because I wanted to confirm if there was an explanation for it 
still being distributed first. 


*From:* Geertjan Wielenga 
*Sent:* Tuesday, October 10, 2023 2:04 PM
*To:* Dill, Ryan 
*Cc:* users@netbeans.apache.org
*Subject:* [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?

Is there a reason you haven’t provided a pull request for this in the 
Apache NetBeans GitHub repo?


Gj

On Tue, 10 Oct 2023 at 19:44, Dill, Ryan  wrote:

The latest version of Apache NetBeans (19) still distributes
Apache Struts 1:

  * 
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58
[github.com]



Apache Struts 1 was EOLed a decade ago:

  * https://struts.apache.org/struts1eol-announcement.html
[struts.apache.org]



  * https://struts.apache.org/struts1eol-press [struts.apache.org]




Hence, any subsequent bugs or security vulnerabilities found in
Struts 1 since that time would not have been fixed in the version
of Struts distributed with modern versions of Apache NetBeans.

I don't know if the continued distribution of Struts 1 with
NetBeans constitutes an actual vulnerability in *NetBeans* (since
I assume the Struts framework is only provided for users to
develop new web applications) -- But the simple presence of the
Struts 1 library files in NetBeans installations causes security
flags to be raised by third-party security scanning tools that our
corporation is using, like Rapid 7 (https://www.rapid7.com/
[rapid7.com]

).

At the very least, continuing to distribute Struts 1 with NetBeans
seems to introduce risk that end-users using NetBeans to develop
web applications with Struts (e.g. as per
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html
[netbeans.apache.org]

)
may end up producing a web application with Struts 1 without
necessarily know it's EOL, creating more risk in their web
application than necessary.

Is there a reason that NetBeans is still distributing long-EOLed
Struts 1 instead of something more modern (e.g. Struts 2.5.x, or
even Struts 6.x)?

-- 
Ryan Dill (he/him) | R Tools and Services | Ciena


cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2,
Canada [google.com]

RE: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?

[Dill, Ryan]

Only because I wanted to confirm if there was an explanation for it still being 
distributed first. 

From: Geertjan Wielenga 
Sent: Tuesday, October 10, 2023 2:04 PM
To: Dill, Ryan 
Cc: users@netbeans.apache.org
Subject: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?


Is there a reason you haven’t provided a pull request for this in the Apache 
NetBeans GitHub repo?

Gj



On Tue, 10 Oct 2023 at 19:44, Dill, Ryan 
mailto:cd...@ciena.com.invalid>> wrote:
The latest version of Apache NetBeans (19) still distributes Apache Struts 1:


  *   
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58
 
[github.com]

Apache Struts 1 was EOLed a decade ago:


  *   https://struts.apache.org/struts1eol-announcement.html 
[struts.apache.org]
  *   https://struts.apache.org/struts1eol-press 
[struts.apache.org]

Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since 
that time would not have been fixed in the version of Struts distributed with 
modern versions of Apache NetBeans.

I don't know if the continued distribution of Struts 1 with NetBeans 
constitutes an actual vulnerability in NetBeans (since I assume the Struts 
framework is only provided for users to develop new web applications) -- But 
the simple presence of the Struts 1 library files in NetBeans installations 
causes security flags to be raised by third-party security scanning tools that 
our corporation is using, like Rapid 7 (https://www.rapid7.com/ 
[rapid7.com]).

At the very least, continuing to distribute Struts 1 with NetBeans seems to 
introduce risk that end-users using NetBeans to develop web applications with 
Struts (e.g. as per 
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html 
[netbeans.apache.org])
 may end up producing a web application with Struts 1 without necessarily know 
it's EOL, creating more risk in their web application than necessary.

Is there a reason that NetBeans is still distributing long-EOLed Struts 1 
instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?

--
Ryan Dill (he/him) | R Tools and Services | Ciena
cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, 
K2K 0J2, Canada 
[google.com]

Re: Apache NetBeans and Apache Struts 1?

[Geertjan Wielenga]

Is there a reason you haven’t provided a pull request for this in the
Apache NetBeans GitHub repo?

Gj



On Tue, 10 Oct 2023 at 19:44, Dill, Ryan  wrote:

> The latest version of Apache NetBeans (19) still distributes Apache Struts
> 1:
>
>
>
>-
>
> https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58
>
>
>
> Apache Struts 1 was EOLed a decade ago:
>
>
>
>- https://struts.apache.org/struts1eol-announcement.html
>- https://struts.apache.org/struts1eol-press
>
>
>
> Hence, any subsequent bugs or security vulnerabilities found in Struts 1
> since that time would not have been fixed in the version of Struts
> distributed with modern versions of Apache NetBeans.
>
>
>
> I don't know if the continued distribution of Struts 1 with NetBeans
> constitutes an actual vulnerability in *NetBeans* (since I assume the
> Struts framework is only provided for users to develop new web
> applications) -- But the simple presence of the Struts 1 library files in
> NetBeans installations causes security flags to be raised by third-party
> security scanning tools that our corporation is using, like Rapid 7 (
> https://www.rapid7.com/).
>
>
>
> At the very least, continuing to distribute Struts 1 with NetBeans seems
> to introduce risk that end-users using NetBeans to develop web applications
> with Struts (e.g. as per
> https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html)
> may end up producing a web application with Struts 1 without necessarily
> know it's EOL, creating more risk in their web application than necessary.
>
>
>
> Is there a reason that NetBeans is still distributing long-EOLed Struts 1
> instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?
>
>
>
> --
> Ryan Dill (he/him) | R Tools and Services | Ciena
>
> cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada
> 
>
>
>

Apache NetBeans and Apache Struts 1?

[Dill, Ryan]

The latest version of Apache NetBeans (19) still distributes Apache Struts 1:


  *   
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58

Apache Struts 1 was EOLed a decade ago:


  *   https://struts.apache.org/struts1eol-announcement.html
  *   https://struts.apache.org/struts1eol-press

Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since 
that time would not have been fixed in the version of Struts distributed with 
modern versions of Apache NetBeans.

I don't know if the continued distribution of Struts 1 with NetBeans 
constitutes an actual vulnerability in NetBeans (since I assume the Struts 
framework is only provided for users to develop new web applications) -- But 
the simple presence of the Struts 1 library files in NetBeans installations 
causes security flags to be raised by third-party security scanning tools that 
our corporation is using, like Rapid 7 (https://www.rapid7.com/).

At the very least, continuing to distribute Struts 1 with NetBeans seems to 
introduce risk that end-users using NetBeans to develop web applications with 
Struts (e.g. as per 
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end 
up producing a web application with Struts 1 without necessarily know it's EOL, 
creating more risk in their web application than necessary.

Is there a reason that NetBeans is still distributing long-EOLed Struts 1 
instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?

--
Ryan Dill (he/him) | R Tools and Services | Ciena
cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada