WinSCP Use of PCRE Library from BlackDuck Scan

Advertisement

Royce
Joined:
Posts:
4
Location:
Malaysia

WinSCP Use of PCRE Library from BlackDuck Scan

Hi WinSCP team,

We are currently using WinSCP version 6.3.1 and the BlackDuck binary check report states the use of PCRE 7.9 library in WinSCP.

We would like to ask that is this a false positive or is WinSCP has any plan on upgrading the version of PCRE library?

The following are the critical vulnerabilities id detected for PCRE 7.9 from BlackDuck binary check report for your reference:
CVE-2015-8383
CVE-2015-8386
CVE-2015-8389
CVE-2015-8390
CVE-2015-8391
CVE-2015-8394

Hope to get your reply soon, thank you.

Reply with quote E-mail

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: WinSCP Use of PCRE Library from BlackDuck Scan

PCRE as in "Perl Compatible Regular Expressions"?
WinSCP has nothing to do with any Perl.
So it indeed seems to be a false positive.

Reply with quote

Royce
Joined:
Posts:
4
Location:
Malaysia

Hi Martin,

We have received communication from the Synopsis team regarding the requirement for proof of WinSCP utilizing the PCRE library. Kindly review the evidence provided by the Synopsis team at the following links:
https://github.com/winscp/winscp/blob/master/source/packages/jcl/jcld20win32.inc
https://github.com/winscp/winscp/blob/master/source/packages/jcl/crossplatform.inc

We would greatly appreciate your insight on the validity of the claim made by the Synopsis team. Additionally, if the claim is indeed valid, we are interested in knowing if the WinSCP team has any plans to upgrade the version accordingly.

Thank you for your attention to this matter.

Reply with quote E-mail

martin
Site Admin
martin avatar

All I can see in the jcld20win32.inc are three defines PCRE_8, PCRE_16 and PCRE_PREFER_16, which are never used anywhere in the code base.
I do not see anything relevant in crossplatform.inc.
So the claim do not seem valid to me.

Reply with quote

Advertisement

Royce
Joined:
Posts:
4
Location:
Malaysia

Hi Martin,

Sorry for late response. I just went thru the source as well and it just defines.

The defines seems did not includes any files/library during the compilation does it mean there is no PCRE libraries included during the compilation and hence WinSCP does not use PCRE at all?

Reply with quote E-mail

Advertisement

You can post new topics in this forum