Support for Veracode Security Scans

Aspose Support:

CVSHealth recently began using Aspose.Words for Java, and one of our enterprise standards is to submit all code to a security scan by Veracode (www.veracode.com). When we scanned aspose-words-15.2.0-jdk16.jar, Veracode identified the following 83 potential security vulnerabilities:

Medium Risk

  • Cryptographic Issues - 2
  • Directory Traversal - 10
  • Information Leakage - 4
  • Time and State - 1

Low Risk

  • Code Quality - 66

It’s definitely possible that these are not actual vulnerabilities and can be considered “mitigated by design”; I can provide more detailed descriptions of the potential vulnerability categories if needed. For example, 65 of the “Code Quality” issues were String comparisons using “==” instead of equals(), which could be valid per the design. I found several forum posts regarding Veracode scans and Aspose.Words for Java, but they are all more than a year old. I’m therefore wondering if Aspose.Words for Java has been updated since these posts were written. Can you please provide the following information:

  1. Are there any plans to ensure that Aspose.Words for Java can pass the Veracode security scan?

  2. What security measures have been implemented in Aspose.Words for Java that could be considered as specifically mitigating the above identified vulnerabilities?

  3. In general, what are Aspose’s standards for developing secure code?

Please let me know if you need any additional information. Thanks for your help!

Paul Moldenhauer

Advisor, Clinical Product Line, CVS/Caremark

CVS Health

Hi Paul,

Thanks for your inquiry. We are in communication with our product team about your query. We will get back to you asap.

Hi Paul,

Thanks for very interesting question. Can you provide more detailed AW for Java v.15.2.0 Veracode output? – So, we will better understand the vulnerabilities. You can email it to me right from forum.

Definitely, we do not use ‘==’ or ‘!=’ to compare Strings – it is syntax error in our environment. May be some linked libraries do use it. About Directory Traversal – it is interesting question. From one side, Aspose.Words is just middle-ware. Higher-level application should check wildcards and other security options before pass a path to Aspose.Words. From other side… maybe we should add this check too.

We use a bunch of automatic tools to improve Aspose.Words. However, most of them are about code quality (like SonarQube) not about security like Veracode. We will discuss how to add Veracode or similar security check to our development lifecycle.

Best Regards,

Hi Paul,

We have a documented coding standard that specifies the use of some well known coding, design and security patterns and practices. We have a peer code review process in place and use an automated tool to monitor adherence to the standard.

Sorry we do not use Veracode at the moment. If you can provide more details about the issues that Veracode complains about, we will be surely interested to address them.

I do not think that directory traversal is a security issue here because Aspose.Words just passes that information in the calls to the framework.

Greetings,

I am vetting out Aspose.word for use within our Sharepoint environment. I came across this post which paraellel my work. Did you ever get a resolution to your request? If so can you share the results? Also, I know Veracode has some limitation when it comes to Java. Did you also run into this with your assessment?

Thanks,

Steve Chamberlain

Network Security Architect

Umpqua Bank.

Hi Steve,

We are currently looking into the Veracode report submitted to us by one of the customers.

If you have a security report of your own, please submit it too.

Hi Paul,

Sorry for delay. And many thanks for your report. It is very useful. I just send you complete report by e-mail. JIRA issues added to fix Veracode flaws:

WORDSJAVA-1185
WORDSJAVA-1186
WORDSJAVA-1187

These flaws will be fixed within the next month. Fixes will be published in the next release.

Another flaws are not real flaws since Veracode checks are too static or does not count context.

And please note, that Aspose.Words is middle-ware - end user hasn’t direct access to it. All input should be checked by front-end application.

Best Regards and sorry for delay,

I wanted to provide an update for anyone else who is wondering about using Aspose in an environment that requires Veracode security scans of all deployed code.

Aspose provided truly fantastic support to resolve all of the identified Veracode vulnerabilities. Aspose issued fixes for 8 of the vulnerabilities. There were a total of 93 remaining vulnerabilities which had to be updated in Veracode as being mitigated by design, but Aspose provided detailed and acceptable explanations for all of these.

My comments all apply to version 15.12.0 of Aspose Words for Java. Of course any other version may have other vulnerabilities identified by Veracode which would require additional remediation efforts. But Aspose was very receptive to our needs and I would expect the same for other customers.

Many thanks to Aspose for their excellent customer support!