Supported .NET Languages and Technologies
.NET Portable Class Library
|.NET 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5-4.7
.NET Core 1.0, 1.1, 2.0-2.2
.NET Standard 2.0
|Visual Studio .NET (2002), 2003, 2005, 2008, 2010, 2012, 2013, 2015, 2017 Mono 4.x||x86, x64|
|C++/CLI||.NET 2.0, 3.0, 3.5, 4.0, 4.5-4.7 (CLR 2.0)||Visual Studio 2005, 2008, 2010, 2012, 2013, 2015||x86, x64|
Because Veracode analyzes compiled .NET bytecode, it may be possible for Veracode to discover results in applications written in other .NET languages, but these are not tested or supported. In particular, .NET applications that target the Dynamic Language Runtime are not supported.
Packaging Guidance for .NET
Applications must be packaged as EXE, DLL, or ZIP files.
Veracode cannot analyze a 32-bit module that has 64-bit dependencies, or vice versa. If your application has this architecture, rebuild it to ensure that the parent module and its dependencies are all either 32-bit or 64-bit, but not mixed.
Veracode requires debug symbols (PDB files) to be included with the application to accurately report the filenames and line numbers for findings.
Preparing Your .NET Application Using the Visual Studio Extension
Veracode offers a Visual Studio extension that can compile .NET applications (2.0 or later). Veracode recommends you use the extension to easily submit the precompiled forms that Veracode needs to successfully complete the scan. Use the instructions in the Integrating Veracode into Visual Studio Help Center page. If you are not using the Veracode Visual Studio Extension, you should set the debug symbols as described here:
Debug Builds For .NET 2.0 and Later
- From Debug. , select
- Set Debug.
Please refer to MSDN for setting for specific versions of Visual Studio for the Debug settings.
Debug Builds for .NET 1.1
- Set Conditional Compilation Constants to DEBUG.
- Deselect Optimize Code.
- Select Generate Debugging Information.
- Deselect Incremental Build.
- Deselect Do not Use Mscor lib.
Additional Settings for Console Applications
- From :
- Set Supported Runtimes to Microsoft .NET Framework v1.1 (default).
Debug Builds for C++/CLI (C++ on .NET)
- In General settings, set Debug Information Format to Program Database(/Zi).
- In Common Language
- In Code Generation Settings, set Basic Runtime Checks to Default (/RTC1) and Buffer Security Check to No (/GS-).
- In Linker General Settings, set Enable Incremental Linking to No (/INCREMENTAL:NO).
- In Linker Debugging Settings, select Generate Debug Info (/DEBUG).
- In Force IJW Image (/CLRIMAGETYPE:IJW). , select
- In Compiler/Optimization Settings, select Disabled (/Od).
- In Not Using Precompiled Headers. , select
- Be sure to save the generated PDB file, which is a required dependency.
Preparing .NET Web Applications (ASP.NET)
Veracode requires you to supply all the forms the application uses and all the dependencies in the compiled form, which are the DLL, EXE, and PDB files. These analysis requirements are different from the deployment requirements because the ASP.NET server can compile these forms dynamically after deployment. If you do not submit precompiled forms, the scan can produce incomplete or incorrect results. See detailed instructions here.
Veracode recommends using the Veracode Visual Studio Extension to precompile your ASP.NET forms for submission. See here for more information.
Preparing .NET Applications Using MSBuild
msbuild <solution> /t:Rebuild /tv:14.0 /p:Configuration=Debug /p:OutputPath=bin
More MSBuild examples are available at https://msdn.microsoft.com/en-us/library/dd393574.aspx.
Packaging Guidance for SharePoint
Veracode supports analysis of provider- or SharePoint-hosted Add-Ins, and does not support analysis of SharePoint Web Parts.
Packaging Guidance for Silverlight
- Use the Veracode Visual Studio Extension. Veracode recommends that you upload your Silverlight application using the Veracode Visual Studio Extension. The plugin automatically generates and uploads the required corresponding DLL and PDB files that Veracode needs to accurately display module names and line numbers.
- Upload an XAP archive. The results from scanning an XAP archive lack the PDB file that contains debug symbols, which means Veracode is unable to display the source filename and line numbers where the flaws are located.
- In Visual Studio, build your Silverlight-based application package as normal, using C# with a debug configuration. The PDB files are saved in the target directory along with the compressed XAP file, but they are not in the XAP archive itself.
- Rename the compressed XAP file in the target directory to a ZIP file, and extract the files (preferably to a new directory).
- Add the PDB files in the original target directory to the ZIP archive in the new directory.
- Rezip the archive and rename it, using the XAP extension.
You are now ready to upload the XAP file to the Veracode Platform.
While Veracode can analyze .NET applications compiled with optimizations, the line numbers on which flaws are reported may be incorrect. This is because the optimization process restructures the application without updating the debug information that provides the line numbers. For most actionable results with correct line numbers, submit the application with optimization disabled.
For both debug and non-debug builds, Veracode can scan .NET code that has been obfuscated with Dotfuscator Community Edition. Do not use code obfuscation tools other than Dotfuscator Community Edition, as that prevents the static binary scan from succeeding.
Supported .NET Frameworks and Technologies
|ADO.NET||3.0, 3.5, 4.0, 4.5|
|ASP.NET||1.1, 2.0, 3.0, 3.5, 4.0|
|ASP.NET Core||2.2 and earlier|
|ASP.NET MVC||3.x, 4.x, 5.x|
|ASP.NET Web API||5.2.3 and earlier|
|Entity||4.x-6.x, Core 2.1|
|LINQ||3.5, 4.0, 4.5|
|Microsoft Enterprise Library|
|.NET Compact Framework||1.0, 2.0, 3.x|
|.NET Micro Framework||2.0, 3.0, 4.x|
|.NET Remoting||1.1, 2.0, 3.0, 3.5, 4.0|
|2.2.3 and earlier|
Oracle Data Provider for .NET (ODP.NET)
|12c Release 4|
|SharePoint - Add-Ins only||2010-2013|
Web UI for ASP.NET, version Q2 2013
|Universal Windows Platform||10.x|
|Windows Communication Foundation (WCF) Rich Internet Application (RIA) services|
|Windows Communication Foundation||3.0, 3.5, 4.0|
|Windows Identity Foundation||3.0, 3.5, 4.0, 4.5|
|Windows Phone||7.x, 8.x|
|Windows Phone Silverlight||8.x|