Veracode provides specific packaging recommendations for ensuring successful scans.
This document provides specific instructions for Veracode-supported languages and platforms. Additionally, review this general guidance that applies to all Veracode static scans.
If you want source file and line number information for flaws, you must upload the debug symbols for the application, either PDB files for Windows binaries, or applications built including debug symbols according to the instructions in this document. You must upload debug symbols for C/C++ and iOS applications.
In general, for a successful upload of files to Veracode, follow these basic guidelines:
- Only upload files with names consisting of printable, UTF-8 characters.
- Only upload applications built using UTF-8 encoding.
- Do not upload obfuscated binaries.
- Do not upload installer packages, such as Linux RPM or Windows InstallShield.
- Do not upload Classic ASP applications in the same scan with application code written in other languages.
You can upload archives of multiple application files in these formats: ZIP, TAR, TAR.GZ, TGZ. The Veracode Platform expands the archive and lists all the executable files it finds inside. These rules apply to uploading archives:
- Do not upload a password-protected archive. The Veracode Platform securely encrypts all files that are uploaded. It is not necessary to password protect the archive, and the Veracode Platform is not be able to expand it if a password is present.
- Do not upload archives of archives. The Veracode Platform only expands the top level of archives and does not proceed if it finds additional archives inside (except for JARs, EARs, and WARs).
- When using tar to combine multiple files, use the -h option to ensure that tar archives the file that the symbolic link points to, rather than archiving the symbolic link.
- Veracode does not support the RAR archive format.
When you upload your application files, Veracode uses specific rules for retaining user-provided and system-generated data.