Packaging Instructions for JavaScript and TypeScript

Compilation Guide

Supported JavaScript Libraries and Technologies

Veracode supports analyzing many client- and server-side JavaScript and TypeScript applications, including those that use HTML5 APIs, ECMAScript 2015, ECMAScript 2016, ECMAScript 2017, ECMAScript 2018, and JSX. Veracode also supports the following technologies:

Framework Supported Versions Notes
Angular.js 0-1.x, 2.x, 4x  
Backbone.js 1.3.3 and earlier  
Bootstrap 1-4  
Cheerio.js 0.2-0.20  
Ember.js 1.x, 2.x  
jQuery All  
Koa.js 0.x-2.3.0  
Node.js All Includes Express and many NPM modules
React.js 0.13.x -15.x.x, react-router versions 2-4  
SAPUI5/OpenUI5 1.x  
Underscore.js 1.8.3 and earlier  
Vue.js 1.x-2.x, vue-router versions 1.x-3.x  

Template Engines

Name Supported Versions
Angular.JS templates 0-1.x
Handlebars.js 1.x-4.x
Hogan.js 0-3.x
Mustache.js 0.6-2.2.x
Swig 1.x

Unsupported JavaScript Technologies

The Veracode Platform does not support the analysis of CoffeeScript or Dart applications.

Packaging Guidance for JavaScript and TypeScript

Veracode extracts client-side JavaScript from JSP files that are uploaded as part of a JAR, WAR, or EAR file, and creates a separate JavaScript module that is selectable for analysis.

Upload a ZIP file containing JavaScript source code, or files that contain JavaScript. Veracode only extracts JavaScript from files with the following extensions:
  • ASP
  • CSS
  • EHTML
  • ES
  • ES6
  • HANDLEBARS
  • HBS
  • HJS
  • HTM
  • HTML
  • JS
  • JSX
  • JSON
  • JSP
  • MAP
  • MUSTACHE
  • PHP
  • TS
  • TSX
  • VUE
  • XHTML
Note: If a packaged .NET, PHP, or ASP web application includes JavaScript within the above file formats, Veracode extracts the JavaScript and scans it.
The structure of the ZIP file is not important.
  • For Node.JS applications, please ensure that the node_modules folder exists and its contents are included in the uploaded source.
  • When you submit TypeScript applications for analysis, package the TypeScript source files in a separate ZIP file.
    • For best results, do not pre-compile TypeScript applications to JavaScript. Submit the TypeScript source only.
  • If your JavaScript build or packaging process produces source map files that include original source, submit the MAP files along with the other files in your application. These files are selectable as a separate JavaScript module, which Veracode can analyze to provide additional JavaScript results.
  • For the highest-quality results, submit JavaScript files before any post-processing build steps, which may minify, uglify, obfuscate, or bundle files.

Software Composition Analysis for JavaScript

If you want to identify vulnerabilities in your third-party components, Software Composition Analysis is available for JavaScript. Before you submit your application for analysis, verify you have packaged your application according to the instructions below.
  • You must include the related package.json, package-lock.json, yarn.lock, bower.json files for the package.
  • If you use third-party components from NPM in your application you must include the node_modules folder and its contents under the folder.
  • If you use third-party components from Bower in your application you must include all bower_components folders and their contents under the folder.
  • If you use both Bower and NPM, you must include all related node_modules and bower_components folders.
    Note: SCA results are generally not available for JavaScript applications if the node_modules subdirectory is not uploaded.