We want to use Aspose.Words for Java in our product and are actively evaluating the product functionality. We have a very rigorous security checklist and we want to understand how Aspose addresses security related issues. Can you please provide answers to the following questions:
Is there a way we can receive notifications of any security issues found in the Aspose software?
How do we report security issues found in Aspose?
Have you performed any security code scans on Aspose libraries like Veracode scan, Fortify etc? Do you have a valid of issues identified and addressed?
What is the typical timeline in which you can fix the security related issues reported?
How safe are the XMLparsers provided by Asposew.r.t security vulnerabilities possible? What steps do you take to ensure these parsers are safe?
From Aspose website, we learn that Aspose.Words for Java uses a temporary directory on your machine that is specified via java.io.tmpdir system property. Aspose.Words writes temporary files and removes them as soon as rendering is completed. “java.io.tmpdir” is a standard Java system property which is also used by the disk-based storage policies. It determines where the JVM writes temporary files. https://docs.aspose.com/words/java/system-requirements/
Is this secure? What is the time span of the files generated here?
It is very important for us to be able to answer these questions in a timely manner to be able to use this software. So, any quick replies will be appreciated.
Thanks,
Kundana.
@Kundana
Aspose products are very secure. Aspose components run in the same user context as any regular application. Therefore, Aspose components do not pose a potential risk to vital system resources. Furthermore, when a document is opened by an Aspose component, macros are not automatically run. Aspose components were built with the goal of allowing developers to create, manipulate and save Office files. None of the risks associated with the Microsoft Office package are inherent to Aspose components.
You can use Document.WarningCallback property to receive notifications during various document processing procedures when an issue is detected that might result in data or formatting fidelity loss.
We provide support via forums. So, please report the issues you are facing in Aspose.Words forum.
Please read about Security Practices.
We try our best to deal with every customer request in a timely fashion, we unfortunately cannot guarantee a delivery date to every customer issue. We work on issues on a first come, first served basis. We feel this is the fairest and most appropriate way to satisfy the needs of the majority of our customers.
The performance and memory usage all depend on the complexity and size of the documents you are generating.
@tahir.manzoor
Thank you for your reply.
But we are looking at more specific answers to the questions I have stated above.
Is there a way we can receive notifications of any security issues found in the Aspose software?
How do we report security issues found in Aspose?
Understood, this has to be done via the forum or by logging tickets.
Have you performed any security code scans on Aspose libraries like Veracode scan, Fortify etc? Do you have a valid of issues identified and addressed?
What is the typical timeline in which you can fix the security related issues reported?
So, I can understand that you cannot guarantee any specific timeline for the specific issues. Can you point me to any questions in the forum related to security which you have fixed? This is to understand the typical timelines.
How safe are the XMLparsers provided by Aspose w.r.t security vulnerabilities possible? What steps do you take to ensure these parsers are safe?
Can you comment briefly on these XML parsers as well?
Is there a way we can receive notifications of any security issues found in the Aspose software?
You can use Document.WarningCallback property to receive notifications during various document processing procedures when an issue is detected that might result in data or formatting fidelity loss.
Could you please share what kind of security notifications you want to receive while processing document? Kundana:
Have you performed any security code scans on Aspose libraries like Veracode scan, Fortify etc? Do you have a valid of issues identified and addressed?
The issues found after Veracode scan has been fixed. Please use the latest version of Aspose.Words for Java 18.9. If you are facing any issue, please report them in this thread. Kundana:
What is the typical timeline in which you can fix the security related issues reported?
We try our best to deal with every customer request in a timely fashion, we unfortunately cannot guarantee a delivery date to every customer issue. We work on issues on a first come, first served basis. We feel this is the fairest and most appropriate way to satisfy the needs of the majority of our customers.
Aspose products are very secure. Could you please share what kind of security issues you are facing while using Aspose.Words? Kundana:
How safe are the XMLparsers provided by Asposew.r.t security vulnerabilities possible? What steps do you take to ensure these parsers are safe?
Aspose components run in the same user context as any regular application. Therefore, Aspose components do not pose a potential risk to vital system resources.
Please share some more detail about this query along with complete detail of your us case. We will then answer your query accordinlgy.
@tahir.manzoor
Thank you for the reply. tahir.manzoor:
You can use Document.WarningCallback property to receive notifications during various document processing procedures when an issue is detected that might result in data or formatting fidelity loss.
Could you please share what kind of security notifications you want to receive while processing document?
Okay, we are looking to receive notifications when a latest version of Aspose.Words for Java is released that includes some security fixes. So, this is not something we are looking for at the document level but from the product functionality as to when we need to mandate uptake of the latest jars for security fixes. tahir.manzoor:
The issues found after Veracode scan has been fixed. Please use the latest version of Aspose.Words for Java 18.9. If you are facing any issue, please report them in this thread.
We have not yet performed these scans. Do you have a summary of issues identified and % of issues fixed as of now? Or, is the code 100% compliant as of now?
We have not yet identified any specific issues as of now but are looking at the generic product guidance to be able to make informed decision for purchase of Aspose.Words for java. We will definitely report any issues identified here.
Thanks.
Okay, we are looking to receive notifications when a latest version of Aspose.Words for Java is released that includes some security fixes.
The release notes of Aspose.Words are public. We add the bug fixes, enhancement and new features in the release notes. Kundana:
We have not yet performed these scans. Do you have a summary of issues identified and % of issues fixed as of now? Or, is the code 100% compliant as of now?
We have checked the Veracode security scan and fixed the related issues. The fix will be available in next version of Aspose.Words for Java 18.10. The issue ID is WORDSJAVA-1663. You will be notified via this forum thread once next version of Aspose.Words is published.
The release notes of Aspose.Words are public. We add the bug fixes, enhancement and new features in the release notes.
I understand the release notes is public and we can come and review it but what I am looking for is, Is there a way for Aspose to send a notification or an email to a customer when the new version is released? tahir.manzoor:
We have checked the Veracode security scan and fixed the related issues. The fix will be available in next version of Aspose.Words for Java 18.10. The issue ID is WORDSJAVA-1663 . You will be notified via this forum thread once next version of Aspose.Words is published.
So, can we assume that all the security flaws identified till now will be fixed in the next release and anything identified will be fixed in subsequent releases?
I understand the release notes is public and we can come and review it but what I am looking for is, Is there a way for Aspose to send a notification or an email to a customer when the new version is released?
We do not send email to customers for release notes. However, we send the email notification to customers for the issues that they reported in Aspose.Words forum. E.g. you will get the notification for issue WORDSJAVA-1663. The new version of Aspose.Words comes out at the start of every month and we publish the blog post for every release. You can find the detail in our blog posts. Kundana:
So, can we assume that all the security flaws identified till now will be fixed in the next release and anything identified will be fixed in subsequent releases?
Yes, your understanding is correct. However, if you face any issue, please report it in Aspose.Words forum.
@tahir.manzoor
In the forum it is stated that “Aspose.Words does not run static code scans.” Can you please clarify this? Are you running the Veracode scans or not?
Also, are the issues reported in the below threads already fixed or are being fixed? Static code scans of Aspose.Words Security flaws through static code scan
How are you addressing the XXE attacks issue?
Thanks,
Kundana.
@tahir.manzoor
Thanks for all your timely responses.
One more confirmation:
From the thread Aspose.Words for Java - Any dependencies on other software products/libraries? , we understand that Aspose is not using any third party softwares. But, this thread is old. Can you re-confirm if Aspose.Words for Java is not using any third party libraries now as well.
Thanks,
Kundana.
@Kundana
Thanks for your inquiry. When you unzip Aspose.Words.Java.zip, one of the folders is named ‘License’. Open the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ with notepad and you will find the required information about open source components used in Aspose.Words for Java.
@tahir.manzoor
Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified. So all your answers are very important for us to continue our evaluation and thank you for the prompt replies.
I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?
Also, the list specified is as follows:
Fanwood license
Streaming API for XML license
Woodstox Project license
Woodstox XML processor license
Legion of the Bouncy Castle Java cryptography API license
ObjectPlanet’s Java PngEncoder
International Components for Unicode (ICU) v.3.4
Unicode Data Files and Software
Animated GIF library for Java v.1.5
Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.
Also, any of these are viral licenses? Can you please confirm.
Regards,
Kundana.
@tahir.manzoor
Can you also add this question to the above list:
The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?
@Kundana
We logged a ticket as WORDSJAVA-1910 in our issue tracking system for your query. Unfortunately, there is no update available on it. We will inform you via this forum thread once there is an update available on it.
We apologize for your inconvenience.
@tahir.manzoor
Its already a week since we have been waiting for the responses. This is impacting our timelines. Can you please check if this request can be expedited?
Thanks,
Kundana.