Is there a way we can receive notifications of any security issues found in the Aspose software?
You can use Document.WarningCallback property to receive notifications during various document processing procedures when an issue is detected that might result in data or formatting fidelity loss.
Could you please share what kind of security notifications you want to receive while processing document? Kundana:
Have you performed any security code scans on Aspose libraries like Veracode scan, Fortify etc? Do you have a valid of issues identified and addressed?
The issues found after Veracode scan has been fixed. Please use the latest version of Aspose.Words for Java 18.9. If you are facing any issue, please report them in this thread. Kundana:
What is the typical timeline in which you can fix the security related issues reported?
We try our best to deal with every customer request in a timely fashion, we unfortunately cannot guarantee a delivery date to every customer issue. We work on issues on a first come, first served basis. We feel this is the fairest and most appropriate way to satisfy the needs of the majority of our customers.
Aspose products are very secure. Could you please share what kind of security issues you are facing while using Aspose.Words? Kundana:
How safe are the XMLparsers provided by Asposew.r.t security vulnerabilities possible? What steps do you take to ensure these parsers are safe?
Aspose components run in the same user context as any regular application. Therefore, Aspose components do not pose a potential risk to vital system resources.
Please share some more detail about this query along with complete detail of your us case. We will then answer your query accordinlgy.
@tahir.manzoor
Thank you for the reply. tahir.manzoor:
You can use Document.WarningCallback property to receive notifications during various document processing procedures when an issue is detected that might result in data or formatting fidelity loss.
Could you please share what kind of security notifications you want to receive while processing document?
Okay, we are looking to receive notifications when a latest version of Aspose.Words for Java is released that includes some security fixes. So, this is not something we are looking for at the document level but from the product functionality as to when we need to mandate uptake of the latest jars for security fixes. tahir.manzoor:
The issues found after Veracode scan has been fixed. Please use the latest version of Aspose.Words for Java 18.9. If you are facing any issue, please report them in this thread.
We have not yet performed these scans. Do you have a summary of issues identified and % of issues fixed as of now? Or, is the code 100% compliant as of now?
We have not yet identified any specific issues as of now but are looking at the generic product guidance to be able to make informed decision for purchase of Aspose.Words for java. We will definitely report any issues identified here.
Thanks.
Okay, we are looking to receive notifications when a latest version of Aspose.Words for Java is released that includes some security fixes.
The release notes of Aspose.Words are public. We add the bug fixes, enhancement and new features in the release notes. Kundana:
We have not yet performed these scans. Do you have a summary of issues identified and % of issues fixed as of now? Or, is the code 100% compliant as of now?
We have checked the Veracode security scan and fixed the related issues. The fix will be available in next version of Aspose.Words for Java 18.10. The issue ID is WORDSJAVA-1663. You will be notified via this forum thread once next version of Aspose.Words is published.
The release notes of Aspose.Words are public. We add the bug fixes, enhancement and new features in the release notes.
I understand the release notes is public and we can come and review it but what I am looking for is, Is there a way for Aspose to send a notification or an email to a customer when the new version is released? tahir.manzoor:
We have checked the Veracode security scan and fixed the related issues. The fix will be available in next version of Aspose.Words for Java 18.10. The issue ID is WORDSJAVA-1663 . You will be notified via this forum thread once next version of Aspose.Words is published.
So, can we assume that all the security flaws identified till now will be fixed in the next release and anything identified will be fixed in subsequent releases?
I understand the release notes is public and we can come and review it but what I am looking for is, Is there a way for Aspose to send a notification or an email to a customer when the new version is released?
We do not send email to customers for release notes. However, we send the email notification to customers for the issues that they reported in Aspose.Words forum. E.g. you will get the notification for issue WORDSJAVA-1663. The new version of Aspose.Words comes out at the start of every month and we publish the blog post for every release. You can find the detail in our blog posts. Kundana:
So, can we assume that all the security flaws identified till now will be fixed in the next release and anything identified will be fixed in subsequent releases?
Yes, your understanding is correct. However, if you face any issue, please report it in Aspose.Words forum.
@tahir.manzoor
In the forum it is stated that “Aspose.Words does not run static code scans.” Can you please clarify this? Are you running the Veracode scans or not?
Also, are the issues reported in the below threads already fixed or are being fixed? Static code scans of Aspose.Words Security flaws through static code scan
How are you addressing the XXE attacks issue?
Thanks,
Kundana.
@tahir.manzoor
Thanks for all your timely responses.
One more confirmation:
From the thread Aspose.Words for Java - Any dependencies on other software products/libraries? , we understand that Aspose is not using any third party softwares. But, this thread is old. Can you re-confirm if Aspose.Words for Java is not using any third party libraries now as well.
Thanks,
Kundana.
@Kundana
Thanks for your inquiry. When you unzip Aspose.Words.Java.zip, one of the folders is named ‘License’. Open the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ with notepad and you will find the required information about open source components used in Aspose.Words for Java.
@tahir.manzoor
Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified. So all your answers are very important for us to continue our evaluation and thank you for the prompt replies.
I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?
Also, the list specified is as follows:
Fanwood license
Streaming API for XML license
Woodstox Project license
Woodstox XML processor license
Legion of the Bouncy Castle Java cryptography API license
ObjectPlanet’s Java PngEncoder
International Components for Unicode (ICU) v.3.4
Unicode Data Files and Software
Animated GIF library for Java v.1.5
Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.
Also, any of these are viral licenses? Can you please confirm.
Regards,
Kundana.
@tahir.manzoor
Can you also add this question to the above list:
The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?
@Kundana
We logged a ticket as WORDSJAVA-1910 in our issue tracking system for your query. Unfortunately, there is no update available on it. We will inform you via this forum thread once there is an update available on it.
We apologize for your inconvenience.
@tahir.manzoor
Its already a week since we have been waiting for the responses. This is impacting our timelines. Can you please check if this request can be expedited?
Thanks,
Kundana.
Our product has stringent scrutiny while up-taking third party softwares and we have to follow a rigid process to get everything verified.
All our Enterprise customers are practicing the same approach. IBM is especially strict about 3rd party licenses. Kundana:
I could find the file ‘thirdpartylicenses-Aspose.Words for Java.txt’ only in the latest .jar. It is not available in the older jars like 18.5 and 18.6. Is this new development or did we miss something?
The file is exist from May 2012. Before this it was separate license files for each 3rd party library. Please download the latest version of Aspose.Words for Java 18.10 from following link. It contains the thirdpartylicenses-Aspose.Words for Java.txt in license folder. Download Aspose.Words for Java 18.10 Kundana:
Can you mention the versions of these libraries/products being used in 18.10 of Aspose.Words for Java to validate if they are latest? We are planning to uptake 18.10 since it seems to fix some of the security features as required by our product.
We have not practice to automatically update 3rd party licenses to the latest version:
We have some custom code inside some libraries - it can’t be updated automatically.
Before release our Jar with updated 3rd party libraries we have to perform additional tests.
Could you please share what exactly versions of with libraries you need? Kundana:
Also, any of these are viral licenses? Can you please confirm.
Could you please elaborate this query? We will then answer your query accordingly. Kundana:
The license from ObjectPlanet’s Java PngEncoder. Will Aspose the binary or source code along with the jars?
We have some our custom source code. Only few needed classes from PngEncoder jar are obfuscated into our jar. So we avoid the Jar Hell.
The file is exist from May 2012. Before this it was separate license files for each 3rd party library. Please download the latest version of Aspose.Words for Java 18.10 from following link. It contains the thirdpartylicenses-Aspose.Words for Java.txt in license folder. Download Aspose.Words for Java 18.10*
Thank you, we took the latest jars and testing them. tahir.manzoor:
We have not practice to automatically update 3rd party licenses to the latest version:
We have some custom code inside some libraries - it can’t be updated automatically.
Before release our Jar with updated 3rd party libraries we have to perform additional tests.
Could you please share what exactly versions of with libraries you need?
So, we understand that you have custom code in the 3rd party libraries you are using and so cannot uptake the latest versions of those other libraries. So, what are the specific versions of those libraries you are using.
For eg: ObjectPlanet’s Java PngEncoder latest version is 2.0.2. Are you using this or any specific older version like 2.0 or 1.1 etc.
This is what we are looking at for each of the third party versions you use. tahir.manzoor:
We have some our custom source code. Only few needed classes from PngEncoder jar are obfuscated into our jar. So we avoid the Jar Hell.
So, here you are saying the classes required are already part of the Aspose jar that you provide. Is out understanding correct?
Thanks,
Kundana