Re: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?
Hi, I recall NetBeans helping me out opening and modifying a Java 1.6 (!) J2EE (!) application with WebLogic a few years ago. At the moment it was the only IDE able to do so. Nowadays it is still of great help opening a legacy application with Tomcat 9 and Java 8. Who knows, maybe NetBeans is helping people maintaining legacy internal Struts 1 applications somewhere. So the explanation is that things are usually kept unless there's a reason not to. Cheers, Antonio On 10/10/23 20:09, Dill, Ryan wrote: Only because I wanted to confirm if there was an explanation for it still being distributed first. 😊 - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?
Hi Dill, without looking into it, its likely lib wrapper modules for ant projects, so that ant projects can depend on libs without having to setup repositories. Those wrappers can be also updated or replaced by the user and work like a local repository. (you can see the list via tools -> libraries) That sounded like a useful thing to have back when maven didn't exist yet and back when many projects copied dependency jars into their lib folders without real dependency management. There are also old versions of spring bundled which can be removed (or updated if they are still supported). Everything unsupported should be removed, things which are still supported updated. I don't think we should add new libs, lets let that mechanism fade out. feel free to open PRs - would be good to clean that area up, -mbien On 10.10.23 20:09, Dill, Ryan wrote: Only because I wanted to confirm if there was an explanation for it still being distributed first. 😊 *From:* Geertjan Wielenga *Sent:* Tuesday, October 10, 2023 2:04 PM *To:* Dill, Ryan *Cc:* users@netbeans.apache.org *Subject:* [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1? Is there a reason you haven’t provided a pull request for this in the Apache NetBeans GitHub repo? Gj On Tue, 10 Oct 2023 at 19:44, Dill, Ryan wrote: The latest version of Apache NetBeans (19) still distributes Apache Struts 1: * https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 [github.com] <https://urldefense.com/v3/__https:/github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties*L58__;Iw!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqNLXLfag$> Apache Struts 1 was EOLed a decade ago: * https://struts.apache.org/struts1eol-announcement.html [struts.apache.org] <https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-announcement.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgpxIs9uKg$> * https://struts.apache.org/struts1eol-press [struts.apache.org] <https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-press__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgriTA0fjQ$> Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since that time would not have been fixed in the version of Struts distributed with modern versions of Apache NetBeans. I don't know if the continued distribution of Struts 1 with NetBeans constitutes an actual vulnerability in *NetBeans* (since I assume the Struts framework is only provided for users to develop new web applications) -- But the simple presence of the Struts 1 library files in NetBeans installations causes security flags to be raised by third-party security scanning tools that our corporation is using, like Rapid 7 (https://www.rapid7.com/ [rapid7.com] <https://urldefense.com/v3/__https:/www.rapid7.com/__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgodQx0WVQ$>). At the very least, continuing to distribute Struts 1 with NetBeans seems to introduce risk that end-users using NetBeans to develop web applications with Struts (e.g. as per https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html [netbeans.apache.org] <https://urldefense.com/v3/__https:/netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqKGkhuiQ$>) may end up producing a web application with Struts 1 without necessarily know it's EOL, creating more risk in their web application than necessary. Is there a reason that NetBeans is still distributing long-EOLed Struts 1 instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? -- Ryan Dill (he/him) | R&D Tools and Services | Ciena cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada [google.com] <https://urldefense.com/v3/__https:/www.google.com/maps/search/5050*Innovation*Drive**A7C*Kanata,*ON,*K2K*0J2,*Canada?entry=gmail&source=g__;KysrJSsrKysr!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqz4C_noA$>
RE: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1?
Only because I wanted to confirm if there was an explanation for it still being distributed first. 😊 From: Geertjan Wielenga Sent: Tuesday, October 10, 2023 2:04 PM To: Dill, Ryan Cc: users@netbeans.apache.org Subject: [**EXTERNAL**] Re: Apache NetBeans and Apache Struts 1? Is there a reason you haven’t provided a pull request for this in the Apache NetBeans GitHub repo? Gj On Tue, 10 Oct 2023 at 19:44, Dill, Ryan mailto:cd...@ciena.com.invalid>> wrote: The latest version of Apache NetBeans (19) still distributes Apache Struts 1: * https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58 [github.com]<https://urldefense.com/v3/__https:/github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties*L58__;Iw!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqNLXLfag$> Apache Struts 1 was EOLed a decade ago: * https://struts.apache.org/struts1eol-announcement.html [struts.apache.org]<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-announcement.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgpxIs9uKg$> * https://struts.apache.org/struts1eol-press [struts.apache.org]<https://urldefense.com/v3/__https:/struts.apache.org/struts1eol-press__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgriTA0fjQ$> Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since that time would not have been fixed in the version of Struts distributed with modern versions of Apache NetBeans. I don't know if the continued distribution of Struts 1 with NetBeans constitutes an actual vulnerability in NetBeans (since I assume the Struts framework is only provided for users to develop new web applications) -- But the simple presence of the Struts 1 library files in NetBeans installations causes security flags to be raised by third-party security scanning tools that our corporation is using, like Rapid 7 (https://www.rapid7.com/ [rapid7.com]<https://urldefense.com/v3/__https:/www.rapid7.com/__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgodQx0WVQ$>). At the very least, continuing to distribute Struts 1 with NetBeans seems to introduce risk that end-users using NetBeans to develop web applications with Struts (e.g. as per https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html [netbeans.apache.org]<https://urldefense.com/v3/__https:/netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html__;!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqKGkhuiQ$>) may end up producing a web application with Struts 1 without necessarily know it's EOL, creating more risk in their web application than necessary. Is there a reason that NetBeans is still distributing long-EOLed Struts 1 instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)? -- Ryan Dill (he/him) | R&D Tools and Services | Ciena cd...@ciena.com<mailto:cd...@ciena.com> | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada [google.com]<https://urldefense.com/v3/__https:/www.google.com/maps/search/5050*Innovation*Drive**A7C*Kanata,*ON,*K2K*0J2,*Canada?entry=gmail&source=g__;KysrJSsrKysr!!OSsGDw!LgqXcXEt_zHVeAcvMk33Un4eIyiWvAqXbFBHTI3FVgLu-NVm2OOy-Pu98fQ1S9G521D7bIAiDAh6gJXGKgqz4C_noA$>