You can upload archives of multiple application files in these formats: ZIP, TAR, TAR.GZ, TGZ. The Veracode Platform expands the archive and lists all the executable files it finds inside. The following rules apply to uploading archives:
- Do not upload a password protected archive. The Veracode Platform securely encrypts all files that are uploaded. It is not necessary to password protect the archive, and the Veracode Platform will not be able to expand it if a password is present.
- Do not upload archives of archives. The Veracode Platform only expands the top level of archives and will not proceed if it finds additional archives inside (except for JARs, EARs, and WARs).
- When using tar to combine multiple files, use the -h option to ensure that tar archives the file that the symbolic link points to, rather than archiving the symbolic link.
- Veracode does not support the RAR archive format.
When you upload your application files, Veracode uses specific rules for retaining user-provided and system-generated data.
General Compilation Guidance
There are specific compilation guidelines for a successful static scan. Depending on your language and platform, the settings Veracode specifies ensure that the Veracode Platform can successfully scan your application and provide results you can act upon.
If you want source file and line number information for flaws, you must upload the debug symbols for the application (either PDB files for Windows binaries, or applications built including debug symbols according to the instructions in this document). Note that you must upload debug symbols for C/C++ and iOS applications.
- Only upload files with names consisting of printable, UTF-8 characters.
- Only upload applications built using UTF-8 encoding.
- Do not upload obfuscated binaries.
- Do not upload installer packages, such as Linux RPM or Windows InstallShield.
- Do not upload Classic ASP applications in the same scan with application code written in other languages.