Security flaws through static code scan


#1

Following security flaws are reported by security assessment tool against Aspose.Cells and Aspose.Words. Does anyone know if these libraries have gone through security assessment? If no, what is the best way to get these issues rectified?

Insufficient Entropy (CWE ID 331)
Improper Restriction of XML External Entity Reference (‘XXE’) (CWE ID 611)
Insecure Temporary File (CWE ID 377)
Improper Resource Shutdown or Release (CWE ID 404)
Use of Wrong Operator in String Comparison (CWE ID 597)


Static code scans of Aspose.Words
#2

@agargi,
We are gathering details regarding the Aspose.Words and Aspose.Cells APIs. We will let you know about our findings once we are done with our initial investigations.

Best Regards,
Imran Rafique


#3

@agargi,
We have recently fixed some of the security issues and would like to recommend, please try the latest version 17.7 of both Aspose.Words and Aspose.Cells APIs. Kindly let us know which security assessment tools you have used to identify the security flaws. If you can find the security flaws with the latest versions 17.7, then kindly share snapshots preferably videos. It will help us to replicate the same security flaws in our environment, then we will investigate and share our findings with you.

You can create a video with VLC or any other tool of your choice. Please refer to the download of versions 17.7: Download Aspose.Words for .NET 17.7 and Download Aspose.Cells for .NET 17.7

Best Regards,
Imran Rafique


#4

Even after upgrading to Aspose Cells and Words v17.8 for Java, flaws are still reported. The security assessment tool used is Veracode and flaws are reported using static scans.

Please see below partial list of flaws reported:

image.png (7.8 KB)
image.png (23.0 KB)
image.png (23.1 KB)


#5

@agargi,

Thanks for sharing the details.

Can you please confirm if the problems are occurring for all the documents or they are appearing for certain set of files. If possible, please share the sample files, so that we can further investigate this scenario in our environment. We are sorry for this inconvenience.


#6

Can you please let me know if you want source code?

Veracode did not report the location of flaw in our code but mentioned Aspose Cells library files with line number as 1. So it is difficult to find out which part of my code should be shared (that is causing this error).

image.png (5.1 KB)


#7

@agargi

Please provide us more detail about your issue. Please provide us your sample Excel file(s), sample code and screenshots with complete detail. It will be much helpful if you provide us a video instead of screenshots. You can create video with VLC or any other video editing/creating software.

Are you scanning Aspose.Cells for Java on your Anti-Virus software. What is type of software you have shown in your screenshots. What do you want us to be fixed? And what do you suggest us to fix in Aspose.Cells for Java. Besides, do you get same results with other Aspose APIs or your issue occurs only with Aspose.Cells for Java.