Selecting Modules to Scan

Static Analysis

A module represents a discrete component of the uploaded application that Veracode analyzes. A prescan of the application identifies top-level modules, which are the components identified that have entry points for external data. You can only select the top-level modules to scan.

About Top-level Modules

Top-level modules may have dependencies or supporting files identified during prescan validation. Veracode scans dependencies resulting from scanning the selected top-level modules that depend on them.

  • In Java, uploaded WAR and EAR files are always the top-level modules. Uploaded JAR files usually are top-level modules, except when they are dependencies of WAR or EAR files.
  • In .NET, the uploaded EXE files are usually the top-level modules. The uploaded DLL files may be top-level modules, if they are not a dependency of another part of the application.
  • In C++, the uploaded main application is the top-level module.
  • In iOS, Ruby on Rails, PHP, and other supported languages, the top-level modules are the uploaded files.

Selecting Modules

After prescan verification completes, the Review Modules page displays information about the scannable modules within the application. Veracode performs a default module selection based on the structure of the application identified during prescan verification. If you have scanned this application previously, Veracode remembers the modules you selected in previous scans and automatically populates subsequent scan configurations for this scan. In the File Selection dropdown menu, select Previous Selection to use the file selection used in the previous scan, or select Veracode Default if you want to use the Veracode recommended module selection.



In most cases, Veracode recommends using the default module selection. However, if you want to change your selection, click the Advanced Mode tab, which shows a list of all the modules uploaded and their statuses.



The possible status values of the module include:

  • Validated: Veracode has checked the module and the module is ready to be scanned.
  • Non-blocking issue: Veracode has checked the module. The module has one or more issues that may impair the quality of results but do not prevent the scan from proceeding. The status column displays a summary of the issue.
  • Blocking error (red highlight): Veracode has checked the module and has identified one or more issues that prevent it from being scanned. The status column displays a summary of the issue.

You can filter the list of modules to show only the modules in error status (red or yellow).

You can view details about blocking errors or non-blocking issues by clicking the status text. Veracode displays detailed information about the error or issue as well as the guidance for fixing the issue.

See guidance for resolving specific error messages.