WinSCP and zlib

Dear all,

While scanning latest version with Black Duck it reports usage of zlib 1.2.7 library with known vulnerabilities.
Does the project use this library and this version or should this be reported as false positive?

Regards
Daniel

I'm not aware of zlib being used in WinSCP.
Does the Black Duck show any details about how it detected zlib in WinSCP?

Here is what the software reports

Maybe there are other external libraries that include zlib..

I do not think so. I cannot of course rule out possibility that parts of zlib code are copied into some 3rd party library WinSCP is using. But the actual zlib library is not used.

The zlib library can be used by OpenSSL and neon libraries. It was also used by FileZilla 2, on which WinSCP FTP implementation is built on. But zlib use is turned off in WinSCP for all those libraries.

The libs3 library is officially dependent on zlib via libxml2. Maybe that's where the detection comes from. But in WinSCP, the libs3 is reimplemented to use Expat instead of libxml2.

PuTTY (used by WinSCP as library for SSH) implements zlib, but it has its own implementation.

So there are lots of "zlib" mentions in WinSCP source code. But that does not mean WinSCP uses the actual "zlib" library.

Dear all,

I asked BlackDuck to show us the evidence of using zlib library in WinSCP.
BlackDuck said WinSCP use zlib library in the PuTTY and sent me below link as evidence.
https://github.com/winscp/winscp/blob/5.21.8/source/putty/ssh/zlib.c

And also BlackDuck decided that WinSCP is using zlib library from below information.
I'm not sure but it seems that below is a result of command on the Linux.
BlackDuck said that this result show the license information of zlib and indicate to be used the zlib.

---

Kind Regard,
Daniel

The code in the link says at the very beginning (emphasis mine):

There will no doubt be criticism of my decision to reimplement Zlib compression from scratch instead of using the existing zlib code