Packaging React Native Applications

Veracode Packaging Requirements

Your React Native applications must meet specific compilation requirements before you can submit them for scanning.

See Supported Languages and Platforms for instructions for other platforms.

Required Files

Veracode recommends that you submit your React Native application as an archive containing the source code. You can also submit your application as a compiled iOS archive (IPA) or a compiled Android package (APK).

Supported React Native Versions

Technology Platform Version
JavaScript/React Native Android, iOS 0.50–0.6x

Packaging Guidance

When uploading a ZIP archive of the source code to Veracode, do not submit files that you built using webpack or other packaging mechanisms. Source files must be UTF-8 encoded.

If you cannot submit the source code, submit React Native applications as IPA or APK files. When analyzing React Native applications submitted as IPA or APK files, Veracode must properly identify the JavaScript bundle included in the file that contains the application logic. Veracode identifies the JavaScript bundle by inspecting a source map file. To include the IPA or APK files, you must modify the default React Native build scripts to produce a package for analysis. This requirement ensures that Veracode can identify the bundle consistently and has all of the context necessary for analysis.

To ensure that a source file has a consistent name that Veracode can use for analysis, Veracode recommends that you modify the configuration files you use for iOS or Android.

Configuration for iOS

Add this line to the react-native-xcode.sh configuration file:

   --sourcemap-output "$BUNDLE_FILE.map"
    

Create a build using Xcode and ensure that it has the IPA file extension. Then, upload that file to Veracode for analysis.

Configuration for Android

You must modify two components to produce a package for analysis, in this sequence:

  1. Modify the Gradle configuration file build.gradle to define the bundle name:
     project.ext.react = [
          bundleAssetName: "main.jsbundle",
    ]
    
  2. Edit the Android packager script ./node_modules/react-native/react.gradle to add these modifications to the build script:
    def jsBundleMapFile = "${jsBundleFile}.map"
          "--sourcemap-output", jsBundleMapFile
    

After you make these modifications to the build scripts, use Gradle to create an APK file. Then, upload that file to Veracode for analysis.