We are about to purchase Aspose.Words Java and we were wondering if Aspose was running static code scans on Aspose.Words as a practice before releasing it to the world. Everything we put into our software has to go through static code scans. I saw other customers reporting in this forum that they had run Veracode against some Aspose products themselves, and you seemed to be pretty responsive about the vulnerabilities reported, but I was wondering if it was standard practice at Aspose to run such scans.
As a reference, here are the other two forum posts about similar topic:
Thanks for your inquiry. Aspose.Words does not run static code scans. However, we fixed the issues mentioned in the topic you shared. Please note that Aspose products are very secure and are tested thoroughly.
We have run Aspose.Words 17.9 Java version through VeraCode and the report indicates one Very High vulnerability, 27 Medium vulnerabilities and a bunch of Lows. We would need at least the Very High to be looked at and fixed before we can put Aspose in production. I have attached the report to this message.
Thanks for sharing the detail. We have logged this problem in our issue tracking system as WORDSJAVA-1663. We will inform you via this forum thread once there is any update available on this.
Without looking at the whole report, if you could get back to me about the Very High vulnerability that was reported, let me know if it’s real or a false positive, would be important. We’re very close to buying, but we’d need clarification about this particular one before buying and putting Aspose in production.
Thanks for your inquiry. If the report shared in your previous post is not complete, please share the complete VeraCode security report. We will update WORDSJAVA-1663 in our issue tracking system. Thanks for your cooperation.
Any updates on this? We’re waiting on an update before purchasing Aspose Words. Minimally, I’d like to have an idea of a timeline for getting a response back.
Thanks for your inquiry. We try our best to deal with every customer request in a timely fashion, we unfortunately cannot guarantee a delivery date to every customer issue. Our developers work on issues on a first come, first served basis. We feel this is the fairest and most appropriate way to satisfy the needs of the majority of our customers.
Currently, WORDSJAVA-1663 is pending for analysis and is in the queue. Once our product team completes the analysis of this issue, we will then be able to provide you an estimate.
Any updates on this? Also, out of curiosity, what would be the response time for such an issue if we were to have paid support? The reason I’m asking is that we have commitments to our customers that any High Vulnerabilities found have to fixed within a 30 day time window. So if such a situation would happen with Aspose.Words after we put it in production, would we get an answer faster if we had paid support?
Thanks for your inquiry. We would like to share with you that issues are addressed and resolved based on first come first serve basis. Currently, your issue is pending for analysis and is in the queue and this issue will be treated with normal priority. Please read about Paid Support Policies and open a new ticket in Paid Support forum for fast response.