All Aspose APIs/SDKs have been checked time to time for any kind of vulnerabilities (including CVE-xxxx) and we remove them internally (if found any). We recommend you to kindly try using latest versions of the APIs. Please try using Aspose APIs (latest versions) and in case you face any issues regarding security, please let us know with details (e.g., which Aspose API and version details). We will check and address it accordingly.
We have logged a ticket with an id “CELLSJAVA-45455” for your issue. We will evaluate for Aspose.Cells whether we need to upgrade the version of bouncycastle for your mentioned security vulnerability. Once we have an update on it, we will let you know.
Regarding other security vulnerabilities, we will evaluate using other Aspose APIs/SDKs and get back to you with updates.
Regarding Aspose.Slides, we have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.
Issue ID(s): SLIDESJAVA-39217
You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.
Even, in your used Aspose.Cells for Java 23.3, you can change the dependency version to use BouncyCastle version 1.68 even the lastest version 1.73(Please note, if you use v1.73, the “bcutil-*-1.73.jar” is also needed besides “bcprov-*-1.73.jar” and “bcpkix-*-1.73.jar”).
Thanks for investigating and taking actions on the vulnerability we highlighted. Also for scanning we created our own pom.xml file to scan the Aspose libraries using our security tool. However, we are not sure if that file refers all the third party libraries used by Aspose. Is it possible to share your pom.xml file so that we can cover all the libraries in the scan ?
Aspose.Words for Java does not include dependencies on org.apache.xmlgraphics:fop and com.google.code.gson:gson. Other dependencies have been updated accordingly to the following versions: org.bouncycastle:bc-fips - 188.8.131.52 com.fasterxml.woodstox:woodstox-core - 6.5.2
Thanks for the details. I understand that you gave reference from Aspose for PDF only. But vulnerable third party / opensource references mentioned in this ticket are included from other Aspose libaries as well.
Also Apache referece is found in Aspose for PDF.
Aspose PDF : We can find Apache reference after extracting jar also its mentioned in “Aspose.PDF for Java .Agreements.pdf” located in META-INF. Same can be referenced in Slides and Html libraries.
Other references I identified -
Aspose OMR : We can find gson refernce after extracting jar.
Aspose Words : Woodstox Streaming XML parser is referencd.
From your reply “This .zip contains files that have all the information about third party APIs and licenses.” - I am not able to locate third party resource details (incl artifacts and version) after extracting zip/jar. It would be helpful if you give reference like pom.xml that includes these dependencies. (for other Aspose libaries also [word, slides, OMR, … etc])