Skip to content

Remove vulnerable struts:struts dependency, upgrade struts-menu to 2.4.3 #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rvosa merged 2 commits into from
Jan 8, 2026
Merged

Remove vulnerable struts:struts dependency, upgrade struts-menu to 2.4.3 #343

rvosa merged 2 commits into from
Jan 8, 2026
+115 −25

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Addresses Dependabot advisories for struts:struts:1.2.9 which has multiple unpatched CVEs (path traversal, XXE, memory exhaustion). Struts 1.x has been EOL since 2013 with no security fixes available.

Key Finding

The codebase only uses struts-menu's JSP taglibs (menu:useMenuDisplayer, menu:displayMenu) and MenuContextListener. No Java code imports Struts classes directly.

Solution

In struts-menu 2.4.3, struts is an optional dependency. Upgrading and excluding struts removes the vulnerability without breaking functionality.

Changes

treebase-web/pom.xml

  • Removed struts:struts:1.2.9 direct dependency
  • Upgraded struts-menu from 2.3 → 2.4.3
  • Added exclusion for struts and outdated transitive deps (velocity 1.x, log4j 1.x, spring 1.x)

oai-pmh_data_provider/data_provider_web/pom.xml

  • Same changes as above

No Changes Required

  • JSPs: Menu tags are API-compatible
  • web.xml: MenuContextListener unchanged
  • Java: No struts imports existed
  • CI/CD, Docker: Unaffected

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • mvnrepository.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • nvd.nist.gov
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

We need a major upgrade of struts:struts to resolve certain dependabot advisories. However, this will require some API changes. Devise a plan for this:

  • which version is the most recent one that is compatible with the rest of the current stack
  • what API changes need to be enacted
  • what needs to happen in the servlet deployment
  • what changes need to be made in the JSPs

Be thorough in your analysis. Look at the dependency management of both treebase-core and treebase-web. Look at the entire code base, both Java and JSP. Look at the deployment pipeline. Both in CI/CD and the Docker container. Look at the servlet configuration XML files.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@rvosa
Remove vulnerable struts:struts dependency, upgrade struts-menu to 2.4.3
1873d48 
- Removed struts:struts:1.2.9 from treebase-web and data_provider_web
- Upgraded struts-menu from 2.3 to 2.4.3 (struts is optional in 2.4.3)
- Added exclusion for struts in struts-menu to ensure it's not pulled transitively
- Added exclusions for other outdated transitive dependencies from struts-menu
- All builds pass successfully

Co-authored-by: rvosa <106490+rvosa@users.noreply.github.com>
Copilot AI changed the title [WIP] Upgrade struts dependency to resolve advisories Remove vulnerable struts:struts dependency, upgrade struts-menu to 2.4.3 Jan 8, 2026
Copilot AI requested a review from rvosa January 8, 2026 09:14
@rvosa rvosa marked this pull request as ready for review January 8, 2026 10:17
@rvosa rvosa merged commit 53399d4 into master Jan 8, 2026
3 checks passed
@rvosa rvosa deleted the copilot/upgrade-struts-version branch January 8, 2026 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvosa rvosa Awaiting requested review from rvosa

Assignees

@rvosa rvosa

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rvosa