Resolving Prescan Warnings and Errors

Static Analysis

During a static scan, you may receive warning or error messages about the uploaded files. Use the tips from Veracode to resolve these warnings or errors.

Identifying Errors and Warnings

If the prescan operation encounters problems in your application, the Application page shows messages in the Status column.

Veracode shows error messages in red preceded by a red triangle , for example:

Veracode displays warning messages in amber text preceded by the information icon , for example:

Use these tips to resolve these warnings or errors.

Corrupt Headers

The module appears to have corrupt headers, and may have been modified after compilation. Try to recompile the module.

Deprecated Platform

The module is built with a platform, such as a compiler, that Veracode does not actively support. Results from the analysis of this module are not as accurate as results produced from supported platforms. Attempting to analyze this module may cause the analysis to fail. If it is a primary module, try to recompile the module for a supported platform. For example, a primary module may be an executable rather than a supporting library.

Incrementally Linked Libraries

The module is built with incremental linking turned on. In some cases, this condition can impair the quality of the analysis and increase scan times. If possible, try to recompile the module without incremental linking.

JSP Compilation Errors

Veracode cannot analyze JSP files that cannot be compiled. If you receive this message, verify that you include all files and classes on which the JSP files depend. Upload any missing files and classes.

Java compilation instructions provide additional guidance regarding JSP files.

Missing Debug Information

If Veracode shows any modules as missing debug information, in red, you must recompile the associated binaries according to the Veracode Packaging Requirements and upload them again. Veracode does not require debug information for every language. However, failing to include debug information may result in lower quality findings and increased scan times. Veracode also requires debug information to report the source file and line number for findings.

Missing Entry Point

For a successful static scan, each application or executable module needs a starting point. For a C application, this entry point might be a main() function and for a web application, it might be one or more JSP or ASPX pages.

No Precompiled Files Located

To analyze ASP.NET applications, Veracode requires you to precompile the dynamically generated pages, which are typically prepared at runtime by the application server. If you do not submit precompiled forms, the scan may produce incomplete or incorrect results. For more information, refer to Packaging ASP.NET Web Applications.

Veracode recommends that you use Veracode Static for Visual Studio to prepare your .NET application for uploading to Veracode.

Obfuscated or Optimized Code

Veracode cannot analyze code compiled with optimizations, or code that has been obfuscated. Recompile the binaries without optimizations or obfuscation and resubmit.

Supporting Files Missing

Carefully review the list of missing files shown as Not Found. Ensure that none of the files you want to analyze are missing. If you identify any missing supporting files, click Add Files and add the libraries containing the dependencies.

Note: For C/C++ applications, supporting files are required. If you do not upload the supporting files for a module, you cannot scan that module.

Unsupported Architecture, Platform, or Compiler

If any modules show an Unsupported Architecture, Platform, or Compiler message, in red, Veracode cannot analyze these modules. If you see this message, review the list of supported platforms and compilers. If possible, try to recompile the binaries with a supported compiler or platform. For example, for a Linux binary, try compiling on a Red Hat platform. For a 64-bit Windows binary, try compiling for 32-bit.

Unsupported Frameworks (Non-Blocking)

This message is informational only, which means that your scan proceeds even if your scan request is for an application that has one or more unsupported frameworks. After the scan of an unsupported framework, Veracode typically produces an incomplete list of the findings in the application. These findings are valid, but because the use of the unsupported frameworks can prevent Veracode from creating a complete model of the application before scanning, parts of the application were not scanned, which leads to an incomplete findings list.

Support Issue

Veracode detected an issue with the submission that may impact results quality or scan performance. Expand the module details for more information about the specific issue. Common support issues include:

Mismatched PDB files
Veracode could not load the debug information included for this module as they are not artifacts of the same compilation as the matching binary. Include the debug files you generated at the same time as the binary. You may need to perform a clean rebuild of the application.
Parse Failure
The source files indicated by this warning may contain syntax errors that prevent Veracode from analyzing them. Review the code to ensure it is syntactically correct for the language, that it is a supported dialect. Ensure that you include any required dependencies in the submission. Veracode cannot scan files with parse failures. Veracode excludes these files from analysis if you choose to proceed.
Minified Files
The JavaScript or TypeScript source files indicated by this warning are minified, obfuscated, or both. Upload only JavaScript or TypeScript source files without any post-processing. Veracode cannot scan minified files and excludes them from analysis.
Uploaded Source Code Without Binaries
The submission contains source code files, but no corresponding compiled binary. Veracode analyzes compiled binary executables, rather than source code. For specific formatting instructions, refer to the Veracode Packaging Requirements.
Web.xml Errors
If you are uploading a Java web archive (WAR) for analysis, you may receive one of several messages regarding a missing, empty, or incorrect WEB-INF/web.xml filepath. As detailed in the packaging guidance for WAR, EAR, and JAR files in the Java compilation instructions, the WAR must contain a valid XML deployment descriptor. Review the instructions and resubmit with a correct WEB-INF/web.xml filepath.