General Packaging Guidance

Compilation Guide

You can upload archives of multiple application files in the following formats: ZIP, TAR, TAR.GZ, TGZ. The Veracode Platform expands the archive and lists all the executable files it finds inside. The following rules apply to uploading archives:

  1. Do not upload a password protected archive. The Veracode Platform securely encrypts all files that are uploaded. It is not necessary to password protect the archive, and the Veracode Platform will not be able to expand it if a password is present.
  2. Do not upload archives of archives. The Veracode Platform only expands the top level of archives and will not proceed if it finds additional archives inside (except for JARs, EARs, and WARs).
  3. When using tar to combine multiple files, use the -h option to ensure that tar archives the file that the symbolic link points to, rather than archiving the symbolic link.
  4. Veracode does not support the RAR archive format.

Retention of Binaries

After you upload binaries, Veracode retains them for a short period to perform results-quality investigations upon request, and also to support rescan without re-upload. Veracode sets the default retention period to 45 days, but this period is subject to change. Veracode may decrease this retention period for your Veracode Platform account.

When the Veracode Platform deletes an uploaded binary, it adds an entry to the activity log for the scan indicating the binaries deleted for a specific scan, and attempts to cycle the encryption key.

General Compilation Guidance

There are specific compilation guidelines for a successful static scan. Depending on your language and platform, the settings Veracode specifies ensure that the Veracode Platform can successfully scan your application and provide results you can act upon.

Required Files

The Veracode Platform requires an executable set of files to perform a static scan. Individual libraries or DLLs that support a main executable generally require the executable to perform an adequate scan. You must upload all executables. Where possible, upload first-party dependent libraries to improve the quality of the scan. You are notified of any missing dependencies before the scan begins and have the opportunity to upload them.
Note: All dependent libraries are required for C/C++ applications.

If you want source file and line number information for flaws, you must upload the debug symbols for the application (either PDB files for Windows binaries, or applications built including debug symbols according to the instructions in this document). Note that you must upload debug symbols for C/C++ and iOS applications.

In general, for a successful upload of files to Veracode, please follow these basic guidelines:
  • Only upload files with names consisting of printable, UTF-8 characters.
  • Only upload applications built using UTF-8 encoding.
  • Do not upload obfuscated binaries.
  • Do not upload installer packages, such as Linux RPM or Windows InstallShield.
  • Do not upload Classic ASP applications in the same scan with application code written in other languages.