You can precompile ASP.NET WebForms and MVC Views using the Publish feature in Visual Studio. You automate the precompilation using the MSBuild command-line tool.
To automate with MSBuild, use Visual Studio to precompile your ASP.NET application and generate the PUBXML file, which is created in your folder in your ASP.NET Web project.
This table describes the PUBXML file values:
|WebPublishMethod||Set to FileSystem to specify that the precompiled files are written to the local filesystem.|
|PublishProvider||Required. Set to FileSystem so that the precompiled files are written to the local filesystem.|
|LastUsedBuildConfiguration||Set to Debug. This value is set by the Publish option in Visual Studio to track the last Build Configuration that the Veracode Platform used last time. You should set this value to the Build Configuration you need to target.|
|LastUsedPlatform||Set to Any CPU. This value is set by the Publish option in Visual Studio to track the last used platform. This value should be set to the platform the user needs to target.|
|ExcludeApp_Data||Set this value to the requirements for your project.|
RequiredThis value is the filepath where Veracode writes the precompiled assemblies. This value is the location where you pick up the files to zip up and upload to the Veracode Platform.
RequiredSet to True to precompile the ASPX WebForms or the CSHTML views.
|DeleteExistingFiles||If set to True, the output directory publishUrl is purged before Veracode writes output to it. Veracode recommends that you purge the output directory.|
RequiredSet to False, otherwise the CSHTML View/ASPX WebForm is still editable, which results in new compilation and use of the View or WebForm.
RequiredYou must set this to True to retain the debug symbols.
RequiredYou must set this to CreateSeparateAssembly, which instructs the compiler to create an assembly for each page or view.
RequiredYou must set this to True, which instructs the compiler to allow all the separately created assemblies to start with the same name.
|UseMerge||If present, you must set this value to False, you do not want to merge any of the output.|
You can also specify the PublishProfile property as a name instead of a path to a file. Other switches may be needed, depending on your environment and/or requirements.
Using a VS Project File to Precompile Without a PUBXML Configuration File
There is a way to precompile and package ASP.NET WebForms and MVC Views without the .pubxml file.
The following example uses a .csproj file to precompile, merge, and then package it in a deployment ZIP file:
msbuild ContosoUniversity.csproj /p:OutputPath=bin /p:DeployOnBuild=true /p:PublishProvider="FileSystem" /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:WDPMergeOption="CreateSeparateAssembly" /p:UseFixedNames=true
You can use the above example to build a web project if you substitute the .csproj name and use these specific parameters and values from the command line:
msbuild ContosoUniversity.csproj /p:OutputPath=bin /p:DeployOnBuild=true /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:WDPMergeOption="CreateSeparateAssembly" /p:WebPublishMethod="FileSystem" /p:UseMerge=false
The ZIP file contains all the assemblies needed to deploy the web application. You can also upload this ZIP file to the Veracode Platform. Based on the command line in the example above, the deployment package is in a subfolder under the output path: bin\_PublishedWebsites\ContosoUniversity_Package\ContosoUniversity.zip.
Using a Solution File to Precompile Without a PUBXML Configuration File
msbuild ContosoUniversity.sln /t:Rebuild /tv:14.0 /p:OutputPath=bin /p:DeployOnBuild=true /p:WebPublishMethod=FileSystem /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:UseMerge=false /p:DeleteAppCodeCompiledFiles=True /p:DeleteExistingFiles=True /p:WDPMergeOption=CreateSeparateAssembly /p:UseFixedNames=true
Change the /t: and /tv: parameters to specify the required targets and the version of Visual Studio you are using. For example, /tv:14.0 is Visual Studio 2015 and /tv:12.0 is Visual Studio 2013. The target version parameter /tv: is not required for Visual Studio 2017 or later.
Using the Veracode API Wrappers from the Command Line
Use the uploadandscan action from the API wrapper to help automate uploading the .NET application to Veracode.