You can precompile ASP.NET WebForms and MVC Views using the Publish feature in Visual Studio. You automate the precompilation using the MSBUILD command-line tool.
To automate with MSBUILD, use Visual Studio to precompile your ASP.NET application and generate the .pubxml file, which is created in your folder in your ASP.NET Web project.
The following table describes the PUBXML file values:
|WebPublishMethod||REQUIRED - Set to FileSystem so that the precompiled files are written to the local filesystem.|
|PublishProvider||REQUIRED - Set to FileSystem so that the precompiled files are written to the local filesystem.|
|LastUsedBuildConfiguration||Set to Debug. This value is set by the Publish option in Visual Studio to track the last Build Configuration that the Veracode Platform used last time. You should set this value to the Build Configuration you need to target.|
|LastUsedPlatform||Set to Any CPU. This value is set by the Publish option in Visual Studio to track the last used platform. This value should be set to the platform the user needs to target.|
|ExcludeApp_Data||Set this value to the requirements for your project.|
|publishUrl||REQUIRED - This value is the filepath to which the precompiled assemblies are written. This value is the location where you pick up the files to zip up and upload to the Veracode Platform.|
|PrecompileBeforePublish||REQUIRED - Set to True to precompile the ASPX WebForms or the CSHTML views.|
|DeleteExistingFiles||If set to True, the output directory (publishUrl) is purged before output is written to it. Veracode recommends to start out with a clean slate.|
|EnableUpdateable||REQUIRED - Set to False, otherwise the CSHTML View/ASPX WebForm is still editable, which results in new compilation and use of the View or WebForm.|
|DebugSymbols||REQUIRED - You must set this to True to retain the debug symbols.|
|WDPMergeOption||REQUIRED - You must set this to CreateSeparateAssembly, which instructs the compiler to create an assembly for each page or view.|
|UseFixedNames||REQUIRED - You must set this to True, which instructs the compiler to allow all the separately created assemblies to start with the same name.|
|UseMerge||If present, you must set this value to False, you do not want to merge any of the output.|
You can also specify the PublishProfile property as a name instead of a path to a file. Other switches may be needed, depending on your environment and/or requirements.
Using a VS Project File to Precompile Without a PUBXML Configuration File
There is a way to precompile and package ASP.NET WebForms and MVC Views without the .pubxml file.
The following example uses a .csproj file to precompile, merge, and then package it in a deployment ZIP file:
msbuild ContosoUniversity.csproj /p:OutputPath=bin /p:DeployOnBuild=true /p:PublishProvider="FileSystem" /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:WDPMergeOption="CreateSeparateAssembly" /p:UseFixedNames=true
You can use the above example to build a web project if you substitute the .csproj name and use these specific parameters and values from the command line:
msbuild ContosoUniversity.csproj /p:OutputPath=bin /p:DeployOnBuild=true /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:WDPMergeOption="CreateSeparateAssembly" /p:WebPublishMethod="FileSystem" /p:UseMerge=false
The ZIP file contains all the assemblies needed to deploy the web application. You can also upload this ZIP file to the Veracode Platform. Based on the command line in the example above, the deployment package is in a subfolder under the output path: bin\_PublishedWebsites\ContosoUniversity_Package\ContosoUniversity.zip.
Using a Solution File to Precompile Without a PUBXML Configuration File
msbuild ContosoUniversity.sln /t:Rebuild /tv:14.0 /p:OutputPath=bin /p:DeployOnBuild=true /p:WebPublishMethod=FileSystem /p:PrecompileBeforePublish=true /p:EnableUpdateable=false /p:DebugSymbols=true /p:UseMerge=false /p:DeleteAppCodeCompiledFiles=True /p:DeleteExistingFiles=True /p:WDPMergeOption=CreateSeparateAssembly /p:UseFixedNames=true
Change the /t: and /tv: parameters to specify the required targets and the version of Visual Studio you are using. For example, /tv:14.0 is Visual Studio 2015 and /tv:12.0 is Visual Studio 2013. The target version parameter /tv: is not required for Visual Studio 2017 or later.
Using the Veracode API Wrappers from the Command Line
Use the uploadandscan action from the API wrapper to help automate uploading the .NET application to Veracode.