Compilation Instructions for .NET Languages

Compilation Guide

Supported .NET Languages and Technologies

Language Platform Version
C#, VB.NET .NET/Windows

.NET Core

.NET Portable Class Library

.NET Standard

.NET 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5-4.8

.NET Core 1.0, 1.1, 2.0-2.2

.NET Standard 2.0

C++/CLI .NET 2.0, 3.0, 3.5, 4.0, 4.5-4.8 (CLR 2.0)
Note: Initial support for .NET 4.8

Because Veracode analyzes compiled .NET bytecode, it may be possible for Veracode to discover results in applications written in other .NET languages, but these are not tested or supported. In particular, .NET applications that target the Dynamic Language Runtime are not supported.

Note: Veracode does not support static analysis of Self-Contained Deployment (SCD) .NET Core applications.

You must upload JavaScript or other TypeScript components separately per the Packaging Instructions for JavaScript and TypeScript even when using an integration such as the Veracode Visual Studio Extension or the Veracode Azure DevOps Extension.

Packaging Guidance for .NET

Applications must be packaged as EXE, DLL, or ZIP files.

Veracode cannot analyze a 32-bit module that has 64-bit dependencies, or vice versa. If your application has this architecture, rebuild it to ensure that the parent module and its dependencies are all either 32-bit or 64-bit, but not mixed.

Veracode requires debug symbols (PDB files) to be included with the application to accurately report the filenames and line numbers for findings.

For web applications, Veracode requires the precompiled forms for your application. See Preparing .NET Web Applications for more guidance.

Note: If you submit satellite assemblies for analysis, Veracode does not display a module for any of these assemblies that contain only resource files and no code.

Preparing Your .NET Application Using the Visual Studio Extension

Veracode offers a Visual Studio extension that can compile .NET applications (2.0 or later). Veracode recommends you use the extension to easily submit the precompiled forms that Veracode needs to successfully complete the scan. Use the instructions in the Integrating Veracode into Visual Studio Help Center page. If you are not using the Veracode Visual Studio Extension, you should set the debug symbols as described here:

Debug Builds For .NET 2.0 and Later

If you are submitting a debug build, make sure the binary files are compiled with the following settings:
  1. From Build > Configuration Manager, select Debug.
  2. Set Configuration to Debug.

    Refer to MSDN for setting for specific versions of Visual Studio for the Debug settings.

Debug Builds for .NET 1.1

If you are submitting a debug build, make sure the binary files are compiled with the following settings:
  1. From Project Properties > Configuration Properties > Build > Code Generation:
    1. Set Conditional Compilation Constants to DEBUG.
    2. Deselect Optimize Code.
  2. From Project Properties > Configuration Properties > Build > Outputs:
    1. Select Generate Debugging Information.
  3. From Project Properties > Configuration Properties > Advanced > General:
    1. Deselect Incremental Build.
    2. Deselect Do not Use Mscor lib.

Additional Settings for Console Applications

  1. From Project Properties > Configuration Properties > General > Application:
  2. Set Supported Runtimes to Microsoft .NET Framework v1.1 (default).

Debug Builds for C++/CLI (C++ on .NET)

  1. In General settings, set Debug Information Format to Program Database(/Zi).
  2. In General > Common Language Runtime Support, set Common Language Runtime

    Support (/clr).

  3. In Code Generation Settings, set Basic Runtime Checks to Default (/RTC1) and Buffer Security Check to No (/GS-).
  4. In Linker General Settings, set Enable Incremental Linking to No (/INCREMENTAL:NO).
  5. In Linker Debugging Settings, select Generate Debug Info (/DEBUG).
  6. In Linker > Advanced > CLR Image Type, select Force IJW Image (/CLRIMAGETYPE:IJW).
  7. In Compiler/Optimization Settings, select Disabled (/Od).
  8. In C/C++ > Precompiled Headers > Create/Use Precompiled Headers, select Not Using Precompiled Headers.
  9. Be sure to save the generated PDB file, which is a required dependency.

Preparing .NET Web Applications (ASP.NET)

Veracode requires you to supply all the forms the application uses and all the dependencies in the compiled form, which are the DLL, EXE, and PDB files. These analysis requirements are different from the deployment requirements because the ASP.NET server can compile these forms dynamically after deployment. If you do not submit precompiled forms, the scan can produce incomplete or incorrect results. See detailed instructions here.

Veracode recommends using the Veracode Visual Studio Extension to precompile your ASP.NET forms for submission. See here for more information.

Preparing .NET Applications Using MSBuild

You can automate the preparation of .NET applications using MSBuild if there are no web forms in the application. As a post-build action, you can use the following example (Visual Studio 2015):
msbuild <solution> /t:Rebuild /tv:14.0
/p:Configuration=Debug
/p:OutputPath=bin

More MSBuild examples are available at https://msdn.microsoft.com/en-us/library/dd393574.aspx.

Packaging Guidance for SharePoint

Veracode supports analysis of provider- or SharePoint-hosted Add-Ins, and does not support analysis of SharePoint Web Parts.

When you submit SharePoint-hosted add-ins for analysis, extract the JavaScript and CSS files from the WSP file created as part of the SharePoint build process, and submit the JavaScript and CSS files as a separate ZIP file.
Note: Veracode does not support analysis of uncompiled ASPX files.

Packaging Guidance for Silverlight

There are two possible ways to scan a Silverlight application:
  • Use the Veracode Visual Studio Extension. Veracode recommends that you upload your Silverlight application using the Veracode Visual Studio Extension. The plugin automatically generates and uploads the required corresponding DLL and PDB files that Veracode needs to accurately display module names and line numbers.
  • Upload an XAP archive. The results from scanning an XAP archive lack the PDB file that contains debug symbols, which means Veracode is unable to display the source filename and line numbers where the flaws are located.
You can use Visual Studio to manually find and add the PDB files to the archive. To manually repackage the archive:
  1. In Visual Studio, build your Silverlight-based application package as normal, using C# with a debug configuration. The PDB files are saved in the target directory along with the compressed XAP file, but they are not in the XAP archive itself.
  2. Rename the compressed XAP file in the target directory to a ZIP file, and extract the files (preferably to a new directory).
  3. Add the PDB files in the original target directory to the ZIP archive in the new directory.
  4. Rezip the archive and rename it, using the XAP extension.

    You are now ready to upload the XAP file to the Veracode Platform.

Optimized Code

While Veracode can analyze .NET applications compiled with optimizations, the line numbers on which flaws are reported may be incorrect. This is because the optimization process restructures the application without updating the debug information that provides the line numbers. For most actionable results with correct line numbers, submit the application with optimization disabled.

Obfuscation

For both debug and non-debug builds, Veracode can scan .NET code that has been obfuscated with Dotfuscator Community Edition. Do not use code obfuscation tools other than Dotfuscator Community Edition, as that prevents the static binary scan from succeeding.

Supported .NET Frameworks and Technologies

Framework/Technology Supported Versions
ADO.NET 3.0, 3.5, 4.0, 4.5
ASP.NET 1.1, 2.0, 3.0, 3.5, 4.0
ASP.NET Core 2.2 and earlier
ASP.NET MVC 3.x, 4.x, 5.x
ASP.NET Web API 5.2.3 and earlier
Dapper All
Entity 4.x-6.x, Core 2.1
Log4Net 1.2.x
LINQ 3.5, 4.0, 4.5
Microsoft Enterprise Library  
.NET Compact Framework 1.0, 2.0, 3.x
.NET Micro Framework 2.0, 3.0, 4.x
.NET Remoting 1.1, 2.0, 3.0, 3.5, 4.0
Newtonsoft Json.NET 6.0
NHibernate  

Npgsql

2.2.3 and earlier

Oracle Data Provider for .NET (ODP.NET)

12c Release 4
SharePoint - Add-Ins only 2010-2013
Silverlight 1-5
Telerik

Web UI for ASP.NET, version Q2 2013

Universal Windows Platform 10.x
Unity Container 3
Windows Communication Foundation (WCF) Rich Internet Application (RIA) services  
Windows Communication Foundation 3.0, 3.5, 4.0
Windows Identity Foundation 3.0, 3.5, 4.0, 4.5
Windows Phone 7.x, 8.x
Windows Phone Silverlight 8.x