We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

Security related questions in Aspose.Words for Java


Thanks for your inquiry.

The release notes of Aspose.Words are public. We add the bug fixes, enhancement and new features in the release notes.

We have checked the Veracode security scan and fixed the related issues. The fix will be available in next version of Aspose.Words for Java 18.10. The issue ID is WORDSJAVA-1663. You will be notified via this forum thread once next version of Aspose.Words is published.


I understand the release notes is public and we can come and review it but what I am looking for is, Is there a way for Aspose to send a notification or an email to a customer when the new version is released?

So, can we assume that all the security flaws identified till now will be fixed in the next release and anything identified will be fixed in subsequent releases?


Thanks for your inquiry.

We do not send email to customers for release notes. However, we send the email notification to customers for the issues that they reported in Aspose.Words forum. E.g. you will get the notification for issue WORDSJAVA-1663. The new version of Aspose.Words comes out at the start of every month and we publish the blog post for every release. You can find the detail in our blog posts.

Yes, your understanding is correct. However, if you face any issue, please report it in Aspose.Words forum.


In the forum it is stated that “Aspose.Words does not run static code scans.” Can you please clarify this? Are you running the Veracode scans or not?

Also, are the issues reported in the below threads already fixed or are being fixed?
Static code scans of Aspose.Words
Security flaws through static code scan

How are you addressing the XXE attacks issue?


Thanks for your inquiry.

We do not run static code scan for every Aspose.Words release e.g. Veracode scans.

Yes, the issue has been fixed and its ID (WORDSJAVA-1663) was already shared in this thread.

Aspose.Words is protected against XXE Vulnerabilities. We had already updated API XmlReader settings to ensure that it is not vulnerable to XXE.

Thanks for all your timely responses.

One more confirmation:
From the thread Aspose.Words for Java - Any dependencies on other software products/libraries? , we understand that Aspose is not using any third party softwares. But, this thread is old. Can you re-confirm if Aspose.Words for Java is not using any third party libraries now as well.


Thanks for your inquiry. When you unzip Aspose.Words.Java.zip, one of the folders is named ‘License’. Open the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ with notepad and you will find the required information about open source components used in Aspose.Words for Java.

Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified. So all your answers are very important for us to continue our evaluation and thank you for the prompt replies.

I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?

Also, the list specified is as follows:

Fanwood license
Streaming API for XML license
Woodstox Project license
Woodstox XML processor license
Legion of the Bouncy Castle Java cryptography API license
ObjectPlanet’s Java PngEncoder
International Components for Unicode (ICU) v.3.4
Unicode Data Files and Software
Animated GIF library for Java v.1.5

Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.

Also, any of these are viral licenses? Can you please confirm.


Thanks for your inquiry. We are working over your queries and will get back to you soon.

Can you also add this question to the above list:
The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?


Please give us some time. We will answer this query also. Thanks for your cooperation.

Do you have any update for us on the questions we have asked?


We logged a ticket as WORDSJAVA-1910 in our issue tracking system for your query. Unfortunately, there is no update available on it. We will inform you via this forum thread once there is an update available on it.

We apologize for your inconvenience.


Its already a week since we have been waiting for the responses. This is impacting our timelines. Can you please check if this request can be expedited?


We are working over your query and will get back to you soon. We apologize for your inconvenience.

The issues you have found earlier (filed as WORDSJAVA-1663) have been fixed in this Aspose.Words for .NET 18.10 update and this Aspose.Words for Java 18.10 update.


Thanks for your patience.

All our Enterprise customers are practicing the same approach. IBM is especially strict about 3rd party licenses.

The file is exist from May 2012. Before this it was separate license files for each 3rd party library. Please download the latest version of Aspose.Words for Java 18.10 from following link. It contains the thirdpartylicenses-Aspose.Words for Java.txt in license folder.
Download Aspose.Words for Java 18.10

We have not practice to automatically update 3rd party licenses to the latest version:

  1. We have some custom code inside some libraries - it can’t be updated automatically.
  2. Before release our Jar with updated 3rd party libraries we have to perform additional tests.

Could you please share what exactly versions of with libraries you need?

Could you please elaborate this query? We will then answer your query accordingly.

We have some our custom source code. Only few needed classes from PngEncoder jar are obfuscated into our jar. So we avoid the Jar Hell.

Thank you, we took the latest jars and testing them.

So, we understand that you have custom code in the 3rd party libraries you are using and so cannot uptake the latest versions of those other libraries. So, what are the specific versions of those libraries you are using.
For eg: ObjectPlanet’s Java PngEncoder latest version is 2.0.2. Are you using this or any specific older version like 2.0 or 1.1 etc.
This is what we are looking at for each of the third party versions you use.

So, here you are saying the classes required are already part of the Aspose jar that you provide. Is out understanding correct?



Thanks for your inquiry.

Please share for what purpose you need the version number of 3rd party libraries. Please also share complete detail of your use case.

Yes, your understanding is correct.


Here is the full list of 3rd party libraries with versions:

  • Fanwood font v.1.1
  • Streaming API for XML v.3.1.4
  • Woodstox Project v.5.0.1
  • Woodstox XML processor v.5.0.1
  • Legion of the Bouncy Castle Java cryptography API v.1.0.1
  • ObjectPlanet’s Java PngEncoder v.2.0.2
  • International Components for Unicode (ICU) v.3.4
  • Animated GIF library for Java v.1.5

The thirdpartylicenses-Aspose.Words for Java.txt will be updated accordingly.