Veracode Scan reports Improper Resource Shutdown or Release errors in several DLLs

ChadAll · October 18, 2023, 3:36pm

Hello -

Like most we are required to run Veracode scans on our code. The scans have reported several
CWE-404: Improper Resource Shutdown or Release errors in several DLLs.

Here are some examples:

aspose.email.dll/aspose.email.dll void 23_3Dze2nVGzs_3D(string): 29%
aspose.imaging.dll Aspose.Imaging.Masking.Result.MaskingResult 02(Aspose.Imaging.RasterImage): 79%
aspose.psd.dll Aspose.PSD.StreamContainer 02_(string): 16%
aspose.words.dll Aspose.Words.VisitorAction VisitFieldSeparator(Aspose.Words.Fields.FieldSeparator): 30%
aspose.cells.dll int 02____(System.IO.Stream, System.IO.BinaryReader, long): 84%

and many more.

Will these be fixed? What is the official ‘stance’ on these issues?

Thank you

amjad.sahi · October 18, 2023, 5:24pm

@ChadAll,

Regarding Aspose.Cells, we need to evaluate and investigate your mentioned issue(s). We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): CELLSNET-54425

Once we have an update on it, we will let you know.

peyton.xu · October 19, 2023, 3:17am

@ChadAll

Regarding Aspose.Cells, we checked the method, there are some Readers are created based on the param stream, and the Readers are not closed. But, there is no issue for it because the underlying stream(param stream) is well managed and closed outside.

If you have any questions, please share us a full report of Veracode scans for Aspose.Cells.

alexey.noskov · October 19, 2023, 3:49pm

@ChadAll
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): WORDSNET-26106

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

stanislav.popov · October 19, 2023, 3:50pm

@ChadAll
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): IMAGINGNET-6709

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

Dmitriy.Sorokin · October 19, 2023, 3:53pm

@ChadAll I created a task PSDNET-1763. Check Aspose.PSD for the CWE-404. We have the similar situation as Aspose.Cells. Some StreamContainer are not closed sometimes but underlying stream(param stream) is well managed and closed outside. We will make additionall scans to confirm it.

aspose.notifier · November 7, 2023, 5:54am

The issues you have found earlier (filed as WORDSNET-26106) have been fixed in this Aspose.Words for .NET 23.11 update also available on NuGet.