Requesting a Static Scan

Static Analysis

There are three steps to requesting a static scan: providing the application profile and requesting the scan, uploading binaries, and selecting modules to scan and beginning the scan. You must have the Creator, Submitter, or Security Lead roles to be able to request a scan. You also must have the respective permission for requesting a static type of scan.

You can request a static scan from the Applications page. To request a static scan for an existing application, click the Applications tab at the top, click the application name in the Applications list, then select Start a Static Scan from the Scans & Analysis dropdown menu. The Static Scan Configuration page opens for you to provide scan information.



Using the Auto-Scan Option

To accelerate your scan process, Veracode automatically selects your top-level modules for scanning and moves directly to the full scan after the prescan completes successfully. The default module selection that the Veracode scan engine makes does not include any module determined by Veracode to be a third-party software top-level module. The exception to this rule is if the entire application and all its modules are, in fact, third-party code. In this case, Veracode selects all the top-level modules for scanning.
A prescan fails if you have not uploaded any top-level modules or if there are any fatal or blocking errors for the top-level modules. If you are rescanning an application that you have previously scanned, the prescan fails if the uploaded files differ. In this case, you receive an informational popup indicating how your uploads differ.
By default, the auto-scan option is on. To turn auto-scan off to be able to manually start scans, go to the auto-scan option in the scan configuration page.



Uploading Files for Analysis

From the Upload Files page, click Select Files, and browse to the directory containing the compiled files or binaries, including their dependencies. Select the file and click Upload. Repeat this process until you have chosen all the required files. To upload a collection of files, upload a .zip, .tar, or .tar.gz archive. You can also drag and drop one or more files to the Upload Files page. When you are finished uploading your files, click Next at the bottom of the screen.



The largest individual file you can upload is 2GB. The total size of all the files that you upload for a single scan is 5GB. The total number of files you can scan at one time is 50,000. If you have any problems uploading files or want to upload a very large file, contact Veracode Technical Support.

Include any non-standard or third-party libraries needed to resolve references. Do not upload cross-platform files, and do not upload applets, which Veracode does not scan. You should create separate application profiles for each platform version of the application, and scan each profile separately.

Quick Reference Packaging Guide

The Compilation Guide provides detailed compilation and packaging steps to allow for optimal analysis for all of the languages and frameworks that Veracode Static Analysis supports. The following list provides a high-level overview of the packaging requirements for some of the most popular supported languages:

Java
Upload WAR or EAR files with debug symbols.
.NET
Generate a debug build, zip the built files, and upload the ZIP file.
  • If the application contains ASP files, publish the website to a directory, zip the published directory, and upload the ZIP file.
  • If the application contains TypeScript files, zip the source TypeScript files and upload them separately.
JavaScript and TypeScript
Upload ZIP files, including the node_modules folder, if applicable.
PHP
Zip the application source files and upload the ZIP file.
Scala
Upload JAR files with debug symbols.
Groovy
Upload JAR or WAR files with debug symbols.
Apex
Zip the application source files and upload the ZIP file.
PL/SQL
Zip the application source files and upload the ZIP file.
Classic ASP
Zip the application source files and upload the ZIP file.
Perl
Zip the application source files and upload the ZIP file.
Python
Zip the application source files and upload the ZIP file.
Android
Generate a debug build and package it as an APK file.
Cordova
Upload a compiled APK or IPA file.
React Native
Upload a compiled APK or IPA file.
C++ (Red Hat Linux)
Upload a debug build compiled with the -gdwarf-2 -g3 -O0 -fno-builtin flags using GCC.
Visual C++
Upload a debug build compiled with the /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL flags.
COBOL
Extract source code files from mainframe system as UTF-8 encoded text files, zip the extracted files, and upload the ZIP file.
RPG
Extract source code files from mainframe system as UTF-8 encoded text files, zip the extracted files, and upload the ZIP file.
Virtual Basic 6
Zip the application source files and upload the ZIP file.

Selecting Modules to Scan

You can only select the top-level modules to scan on the Veracode Platform. Top-level modules are the binaries identified during prescan verification that have entry points for external data, and all other binaries are the dependents of these top-level modules. A module is the file or files that Veracode scans, while the other files that you upload are the supporting files. No top-level module is dependent on another top-level module. Dependencies are scanned as a result of scanning the selected top-level modules that depend on them.

In Java, uploaded WAR, and EAR files are always the top-level modules. Uploaded JAR files usually are top-level modules, except when they are dependencies of WAR or EARs files. In .NET, the uploaded EXE files are usually the top-level modules, and the uploaded .DLL files may be top-level modules, if they are not a dependency of another part of the application. In C++, the uploaded main application will be the top-level module. In iOS, Ruby on Rails, PHP, and other languages supported by Veracode, the top-level modules are the uploaded files.

After prescan verification is complete, information about the scannable modules within the application are available on the Select Modules page. If this is the first time you have scanned this application, a list of all the modules uploaded, and their status is displayed on the Advanced Mode module selection interface.



Veracode performs a default module selection based on the structure of the application identified during prescan verification. To change your selection, select the Entry Point? checkbox on the Advanced Mode module selection interface. Veracode does not recommend that you select additional modules beyond the default selection, as this can lead to over-analysis of the application and longer scan times.

The status of the module can be:

  • Validated: The module has been checked and is ready to be scanned.
  • Non-blocking issue (yellow highlight): The module has been checked. It has one or more issues that may impair the quality of results but does not prevent the scan from proceeding. The status column displays a summary of the issue.
  • Blocking error (red highlight): The module has been checked and has one or more issues that prevent it from being scanned. The status column displays a summary of the issue.
Note: You can filter the list of modules to show only the modules in error status (red or yellow).
You can view details about blocking errors or non-blocking issues by clicking the status text. Detailed information is displayed about the error or issue as well as the guidance for fixing the issue.

Guidance on resolving specific error messages is available.

If you have scanned this application before, the Simple Mode module selection interface displays a summary of the number of scannable modules. Veracode remembers the modules you have selected in previous scans, and automatically populates subsequent scan configurations for that application. In Scan Details, you have the ability to chose a file selection type. Select Previous Selection to use the file selection used in the previous scan. Select Veracode Default if you want to change your module selection.



View Changes Between File Uploads

For the most consistent results, Veracode recommends that you scan the same files between scans. If you have scanned this application before, you can view the differences between the files you uploaded last time, and the files you uploaded this time. From Advanced Mode > Modules tab, you can view information about the differences in uploads. In the File Upload Information table, you can view module changes from the current and previous upload.

The color indicators on the left of the modules specify the type of change that occurred in the module since the last time you uploaded your application.
  • Yellow indicates that there was a modification in the module.
  • Blue indicates that there is a new module.
  • Gray indicates that no change occurred in the module.
    Note: You can also view module upload changes between two subsequent sandbox scans, but if you promote the sandbox to a policy scan, you cannot view the changes between the sandbox and policy scan.



Re-uploading Modules with Issues or Errors

If you need to re-upload binaries, or upload new binaries, click Update/Remove Files, locate the files to be added, and upload them.

Exporting Prescan Results

You can save the list of prescan findings as a text file that can be emailed or otherwise used to share prescan information with another user.

To export the prescan results to a text file:

  1. Click the Export Module List link at the bottom of the screen.
  2. Use the browser's Save As menu item to save the file to your local system.
  3. Click the browser's Back button to return to the list of modules.

Beginning the Scan

Click Begin Scan to submit your application for scanning.

Rescanning Applications

If you want to rescan an application, Veracode allows you to quickly review and amend the module selection and then rescan, without having to re-upload the modules.