WinSCP Use of PCRE Library from BlackDuck Scan

Hi WinSCP team,

We are currently using WinSCP version 6.3.1 and the BlackDuck binary check report states the use of PCRE 7.9 library in WinSCP.

We would like to ask that is this a false positive or is WinSCP has any plan on upgrading the version of PCRE library?

The following are the critical vulnerabilities id detected for PCRE 7.9 from BlackDuck binary check report for your reference:
CVE-2015-8383
CVE-2015-8386
CVE-2015-8389
CVE-2015-8390
CVE-2015-8391
CVE-2015-8394

Hope to get your reply soon, thank you.

PCRE as in "Perl Compatible Regular Expressions"?
WinSCP has nothing to do with any Perl.
So it indeed seems to be a false positive.

Ya, the PCRE is referring to "Perl Compatible Regular Expressions".
Thanks for the reply and we will proceed from here.

Hi Martin,

We have received communication from the Synopsis team regarding the requirement for proof of WinSCP utilizing the PCRE library. Kindly review the evidence provided by the Synopsis team at the following links:
https://github.com/winscp/winscp/blob/master/source/packages/jcl/jcld20win32.inc
https://github.com/winscp/winscp/blob/master/source/packages/jcl/crossplatform.inc

We would greatly appreciate your insight on the validity of the claim made by the Synopsis team. Additionally, if the claim is indeed valid, we are interested in knowing if the WinSCP team has any plans to upgrade the version accordingly.

Thank you for your attention to this matter.

All I can see in the jcld20win32.inc are three defines PCRE_8, PCRE_16 and PCRE_PREFER_16, which are never used anywhere in the code base.
I do not see anything relevant in crossplatform.inc.
So the claim do not seem valid to me.

Hi Martin,

Sorry for late response. I just went thru the source as well and it just defines.

The defines seems did not includes any files/library during the compilation does it mean there is no PCRE libraries included during the compilation and hence WinSCP does not use PCRE at all?

Yes, WinSCP does NOT use PCRE.