Compilation Instructions for C/C++ on Windows

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Required Files

The Veracode Platform requires all binary executables, all required libraries and the complete debug information for the application.

Supported C/C++ on Windows Platforms and Compiler Versions

Language Platform Version Compiler
C/C++ (32-bit/64-bit) Windows
  • Up to Windows XP/Windows Server 2003
  • Up to Windows 7/Windows Server 2008 R2
Visual C++ 7.0 - in Visual Studio .NET 2002

Visual C++ 7.1 - in Visual Studio .NET 2003

Visual C++ 8.0 - in Visual Studio 2005

Visual C++ 9.0 - in Visual Studio 2008

Visual C++ 10.0 - in Visual Studio 2010

Visual C++ 11.0 - in Visual Studio 2012

Visual C++ 12.0 - in Visual Studio 2013


Visual C++ 14.0 - in Visual Studio 2015


Visual C++ 14.1 - in Visual Studio 2017

Supported Architectures

Veracode supports analyzing Windows C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing Windows C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.

Platform-specific Debug Settings

You can automate these compilation settings by using the Veracode Visual Studio Extension.

Ensure the binary files are compiled with the following settings:

  • Project Properties > Configuration Properties > C/C++ > General

    Set Debug Information Format to Program Database (/Zi).

  • Project Properties > Configuration Properties > C/C++ > Optimization

    When possible, set Optimization to Disabled (/Od).

  • Project Properties > Configuration Properties > C/C++ > Code Generation
    • Set Basic Runtime Checks to Default (on the command line, ensure that /RTC is not set).
    • Set Runtime Library to Multi-threaded Debug or Multi-threaded Debug DLL (/MTd, /MDd, or /LDd).
    • Set Buffer Security Check to No (/GS-).
  • Project Properties > Configuration Properties > Linker > General

    Set Enable Incremental Linking to No (/INCREMENTAL:NO).

  • Project Properties > Configuration Properties > Linker > Debugging

    Choose Generate Debug Information optimized for sharing and publishing (/DEBUG:FULL).

  • Retain the generated PDB file. It is a required dependency.

Building and Linking Applications Using the Command Line

If you are building a Visual C++ application from the command line, Veracode requires that the /Zi, /Od and /GS- flags are set, the /RTC flag is not set, and a debug run-time library is selected, if you are explicitly specifying the /M or /L option. For example, {{ /MDd, /MLd, /MTd, /LDd}} when you compile. The /INCREMENTAL:NO and /DEBUG flags must be set when linking the application.

The following example shows the command-line flags required to build an application for Veracode analysis.
cl.exe /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL 

Optimized Code

Although Veracode can analyze some Windows C/C++ binaries compiled with optimization, there could be some reduction of results quality. Specifically, Veracode strongly recommends the following settings to analyze Windows binaries compiled with optimization:

  • MSVC7: analysis of optimized binaries built with MSVC 7 and earlier is unsupported
  • MSVC8: disable Frame Pointer Omission optimization with the /Oy- command-line flag
  • MSVC9: no specific issues

C/C++ Windows Application Profile

  • You must package applications as EXE, DLL, or ZIP files.
  • Debug symbols are mandatory for main executables. Veracode strongly recommends that you also provide debug symbols for dependent libraries, when possible, to achieve higher-quality scan results.
  • Failure to upload debug symbols for Windows C/C++ applications prevents the scan from proceeding.
  • Failure to upload dependencies for Windows C/C++ applications results in a warning during prescan.