Amadee,
Thanks for reminding me, had slipped my mind due to other activities.
Something that's missing in the HTML report snippet as quoted in your mail is which evidences the assembly analyzer was able to extract from WinSCP.
That might give a hint if the root for not finding anything would lie in the information available in the WinSCP binary, or some logical error in matching the evidences provided with the CPE-entry that NVD uses to register WinSCP CVEs.
The NVD CVE Analyzer uses the evidences discovered to do a fuzzy search for matching CPEs of the NVD data. So if the evidences delivered do not sufficiently match the official NVD coordinates for WinSCP DepCheck will not link the two and not discover the vulnerabilities.
Lack of evidences discovered would point at either missing identifiers in WinSCP, or an issue in the AssemblyAnalyzer. Presence of fitting evidences might point at an issue in the fuzzy search logic to determine the CPE.
Using verbose logging (--log <log file name>) might also help in determining what is searched for by the CPEAnalyzer
regards,
Hans
Hi @aikebah, I posted a report 10 days ago. Do you have enough information with this or do you need more?