Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Yes, WinSCP does NOT use PCRE.
Royce

Hi Martin,

Sorry for late response. I just went thru the source as well and it just defines.

The defines seems did not includes any files/library during the compilation does it mean there is no PCRE libraries included during the compilation and hence WinSCP does not use PCRE at all?
martin

All I can see in the jcld20win32.inc are three defines PCRE_8, PCRE_16 and PCRE_PREFER_16, which are never used anywhere in the code base.
I do not see anything relevant in crossplatform.inc.
So the claim do not seem valid to me.
Royce

Hi Martin,

We have received communication from the Synopsis team regarding the requirement for proof of WinSCP utilizing the PCRE library. Kindly review the evidence provided by the Synopsis team at the following links:
https://github.com/winscp/winscp/blob/master/source/packages/jcl/jcld20win32.inc
https://github.com/winscp/winscp/blob/master/source/packages/jcl/crossplatform.inc

We would greatly appreciate your insight on the validity of the claim made by the Synopsis team. Additionally, if the claim is indeed valid, we are interested in knowing if the WinSCP team has any plans to upgrade the version accordingly.

Thank you for your attention to this matter.
Royce

Ya, the PCRE is referring to "Perl Compatible Regular Expressions".
Thanks for the reply and we will proceed from here.
martin

Re: WinSCP Use of PCRE Library from BlackDuck Scan

PCRE as in "Perl Compatible Regular Expressions"?
WinSCP has nothing to do with any Perl.
So it indeed seems to be a false positive.
Royce

WinSCP Use of PCRE Library from BlackDuck Scan

Hi WinSCP team,

We are currently using WinSCP version 6.3.1 and the BlackDuck binary check report states the use of PCRE 7.9 library in WinSCP.

We would like to ask that is this a false positive or is WinSCP has any plan on upgrading the version of PCRE library?

The following are the critical vulnerabilities id detected for PCRE 7.9 from BlackDuck binary check report for your reference:
CVE-2015-8383
CVE-2015-8386
CVE-2015-8389
CVE-2015-8390
CVE-2015-8391
CVE-2015-8394

Hope to get your reply soon, thank you.