Security related questions in Aspose.Words for Java

@tahir.manzoor
In the forum it is stated that “Aspose.Words does not run static code scans.” Can you please clarify this? Are you running the Veracode scans or not?
Also, are the issues reported in the below threads already fixed or are being fixed?
Static code scans of Aspose.Words
Security flaws through static code scan
How are you addressing the XXE attacks issue?
Thanks,
Kundana.

@Kundana
Thanks for your inquiry.
Kundana:

Can you please clarify this? Are you running the Veracode scans or not?

We do not run static code scan for every Aspose.Words release e.g. Veracode scans.
Kundana:

Also, are the issues reported in the below threads already fixed or are being fixed?

Yes, the issue has been fixed and its ID (WORDSJAVA-1663) was already shared in this thread.
Kundana:

How are you addressing the XXE attacks issue?

Aspose.Words is protected against XXE Vulnerabilities. We had already updated API XmlReader settings to ensure that it is not vulnerable to XXE.

@tahir.manzoor
Thanks for all your timely responses.
One more confirmation:
From the thread Aspose.Words for Java - Any dependencies on other software products/libraries? , we understand that Aspose is not using any third party softwares. But, this thread is old. Can you re-confirm if Aspose.Words for Java is not using any third party libraries now as well.
Thanks,
Kundana.

@Kundana
Thanks for your inquiry. When you unzip Aspose.Words.Java.zip, one of the folders is named ‘License’. Open the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ with notepad and you will find the required information about open source components used in Aspose.Words for Java.

@tahir.manzoor
Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified. So all your answers are very important for us to continue our evaluation and thank you for the prompt replies.
I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?
Also, the list specified is as follows:
Fanwood license
Streaming API for XML license
Woodstox Project license
Woodstox XML processor license
Legion of the Bouncy Castle Java cryptography API license
ObjectPlanet’s Java PngEncoder
International Components for Unicode (ICU) v.3.4
Unicode Data Files and Software
Animated GIF library for Java v.1.5
Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.
Also, any of these are viral licenses? Can you please confirm.
Regards,
Kundana.

@Kundana
Thanks for your inquiry. We are working over your queries and will get back to you soon.

@tahir.manzoor
Can you also add this question to the above list:
The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?

@Kundana
Please give us some time. We will answer this query also. Thanks for your cooperation.

@tahir.manzoor
Do you have any update for us on the questions we have asked?
Thanks.

@Kundana
We logged a ticket as WORDSJAVA-1910 in our issue tracking system for your query. Unfortunately, there is no update available on it. We will inform you via this forum thread once there is an update available on it.
We apologize for your inconvenience.

@tahir.manzoor
Its already a week since we have been waiting for the responses. This is impacting our timelines. Can you please check if this request can be expedited?
Thanks,
Kundana.

@Kundana
We are working over your query and will get back to you soon. We apologize for your inconvenience.

The issues you have found earlier (filed as WORDSJAVA-1663) have been fixed in this Aspose.Words for .NET 18.10 update and this Aspose.Words for Java 18.10 update.

@Kundana
Thanks for your patience.
Kundana:

Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified.

All our Enterprise customers are practicing the same approach. IBM is especially strict about 3rd party licenses.
Kundana:

I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?

The file is exist from May 2012. Before this it was separate license files for each 3rd party library. Please download the latest version of Aspose.Words for Java 18.10 from following link. It contains the thirdpartylicenses-Aspose.Words for Java.txt in license folder.
Download Aspose.Words for Java 18.10
Kundana:

Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.

We have not practice to automatically update 3rd party licenses to the latest version:

  1. We have some custom code inside some libraries - it can’t be updated automatically.
  2. Before release our Jar with updated 3rd party libraries we have to perform additional tests.

Could you please share what exactly versions of with libraries you need?
Kundana:

Also, any of these are viral licenses? Can you please confirm.

Could you please elaborate this query? We will then answer your query accordingly.
Kundana:

The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?

We have some our custom source code. Only few needed classes from PngEncoder jar are obfuscated into our jar. So we avoid the Jar Hell.

tahir.manzoor:

The file is exist from May 2012. Before this it was separate license files for each 3rd party library. Please download the latest version of Aspose.Words for Java 18.10 from following link. It contains the thirdpartylicenses-Aspose.Words for Java.txt in license folder.
Download Aspose.Words for Java 18.10*

Thank you, we took the latest jars and testing them.
tahir.manzoor:

We have not practice to automatically update 3rd party licenses to the latest version:

  1. We have some custom code inside some libraries - it can’t be updated automatically.
  2. Before release our Jar with updated 3rd party libraries we have to perform additional tests.

Could you please share what exactly versions of with libraries you need?

So, we understand that you have custom code in the 3rd party libraries you are using and so cannot uptake the latest versions of those other libraries. So, what are the specific versions of those libraries you are using.
For eg: ObjectPlanet’s Java PngEncoder latest version is 2.0.2. Are you using this or any specific older version like 2.0 or 1.1 etc.
This is what we are looking at for each of the third party versions you use.
tahir.manzoor:

We have some our custom source code. Only few needed classes from PngEncoder jar are obfuscated into our jar. So we avoid the Jar Hell.

So, here you are saying the classes required are already part of the Aspose jar that you provide. Is out understanding correct?
Thanks,
Kundana

@Kundana
Thanks for your inquiry.
Kundana:

This is what we are looking at for each of the third party versions you use.

Please share for what purpose you need the version number of 3rd party libraries. Please also share complete detail of your use case.
Kundana:

Is out understanding correct?

Yes, your understanding is correct.

@Kundana
Kundana:

This is what we are looking at for each of the third party versions you use.

Here is the full list of 3rd party libraries with versions:

  • Fanwood font v.1.1
  • Streaming API for XML v.3.1.4
  • Woodstox Project v.5.0.1
  • Woodstox XML processor v.5.0.1
  • Legion of the Bouncy Castle Java cryptography API v.1.0.1
  • ObjectPlanet’s Java PngEncoder v.2.0.2
  • International Components for Unicode (ICU) v.3.4
  • Animated GIF library for Java v.1.5

The thirdpartylicenses-Aspose.Words for Java.txt will be updated accordingly.

@tahir.manzoor
tahir.manzoor:

Here is the full list of 3rd party libraries with versions:

  • Fanwood font v.1.1
  • Streaming API for XML v.3.1.4
  • Woodstox Project v.5.0.1
  • Woodstox XML processor v.5.0.1
  • Legion of the Bouncy Castle Java cryptography API v.1.0.1
  • ObjectPlanet’s Java PngEncoder v.2.0.2
  • International Components for Unicode (ICU) v.3.4
  • Animated GIF library for Java v.1.5

Thank you for this list. We are working on this and will get back to you if we have further questions.

@Kundana
Please feel free to ask if you have any question about Aspose.Words, we will be happy to help you.

A post was split to a new topic: Security related questions of Aspose products