CVSHealth recently began using Aspose.Words for Java, and one of our enterprise standards is to submit all code to a security scan by Veracode (www.veracode.com). When we scanned aspose-words-15.2.0-jdk16.jar, Veracode identified the following 83 potential security vulnerabilities:
- Cryptographic Issues - 2
- Directory Traversal - 10
- Information Leakage - 4
- Time and State - 1
- Code Quality - 66
It’s definitely possible that these are not actual vulnerabilities and can be considered “mitigated by design”; I can provide more detailed descriptions of the potential vulnerability categories if needed. For example, 65 of the “Code Quality” issues were String comparisons using “==” instead of equals(), which could be valid per the design. I found several forum posts regarding Veracode scans and Aspose.Words for Java, but they are all more than a year old. I’m therefore wondering if Aspose.Words for Java has been updated since these posts were written. Can you please provide the following information:
Are there any plans to ensure that Aspose.Words for Java can pass the Veracode security scan?
What security measures have been implemented in Aspose.Words for Java that could be considered as specifically mitigating the above identified vulnerabilities?
In general, what are Aspose’s standards for developing secure code?
Please let me know if you need any additional information. Thanks for your help!
Advisor, Clinical Product Line, CVS/Caremark