General Packaging Guidance

Compilation Guide

You may upload archives of multiple application files in the following formats: .zip, .tar, .tar.gz, .tgz. The Veracode Platform will expand the archive and list all the executable files it finds inside. The following rules apply to uploading archives:

  1. Do not upload a password protected archive. The Veracode Platform securely encrypts all files that are uploaded. It is not necessary to password protect the archive, and the platform will not be able to expand it if a password is present.
  2. Do not upload archives of archives. The platform only expands the top level of archives and will not proceed if it finds additional archives inside (except for JARs, EARs, and WARs).
  3. When using tar to combine multiple files, use the -h option to ensure that tar archives the file that the symbolic link points to, rather than archiving the symlink.
  4. Veracode does not support the RAR archive format.

General Compilation Guidance

There are specific compilation guidelines for a successful static scan. Depending on your language and platform, the settings Veracode specifies ensure that the Veracode Platform can successfully scan your application and provide results you can act upon.

Required Files

The Veracode Platform requires an executable set of files to perform a static scan; individual libraries or DLLs that support a main executable generally require the executable to perform an adequate scan. You must upload all executables. Where possible, upload first-party dependent libraries to improve the quality of the scan. (Note that all dependent libraries are required for C/C++ applications.) You are notified of any missing dependencies before the scan begins and have the opportunity to upload them.

If you want source file and line number information for flaws, you must upload the debug symbols for the application (either PDB files for Windows binaries, or applications built including debug symbols according to the instructions in this document). Note that you must upload debug symbols for C/C++ and iOS applications.

In general, for a successful upload of files to Veracode, please follow these basic guidelines:
  • Only upload applications built using UTF-8 encoding.
  • Do not upload obfuscated binaries.
  • Do not upload installer packages (e.g. Linux RPM, Windows InstallShield).
  • Do not upload Classic ASP applications in the same scan with application code written in other languages.