This document is for customer licensed Veracode SAST. Last check and update 11-Jan-2018.
Supported .NET Languages and Technologies
|C#, VB.NET||.NET/Windows, .NET Core, .NET Portable Class Library||.NET 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, 4.6, 4.7
Core 1.0, 1.1 (C# only)
|Visual Studio .NET (2002), 2003, 2005, 2008, 2010, 2012, 2013, 2015, 2017 Mono 4.x||x86, x64|
|C/C++ (C++/CLI)||.NET 2.0, 3.0, 3.5, 4.0, 4.5, 4.6 (CLR 2.0)||Visual Studio 2005, 2008, 2010, 2012, 2013, 2015||x86, x64|
Packaging Guidance for .NET
Because Veracode analyzes compiled .NET bytecode, it may be possible for Veracode to discover results in applications written in other .NET languages, but these are not tested or supported. In particular, .NET applications that target the Dynamic Language Runtime are not supported.
Applications must be packaged as .exe, .dll, or .zip files.
Preparing Your .NET Application Using the Visual Studio Extension
Veracode offers a Visual Studio extension that can compile .NET applications (2.0 or later). Veracode recommends you use the extension to easily submit the precompiled forms that Veracode needs to successfully complete the scan. Use the instructions in theHelp Center page. If you are not using the Veracode Visual Studio extension, you should set the debug symbols as described here:
Debug Builds For .NET 2.0 and Later
- From Debug. , select
- Set Debug.
Please refer to MSDN for setting for specific versions of Visual Studio for the Debug settings.
Debug Builds for .NET 1.1
- Set Conditional Compilation Constants to DEBUG.
- Deselect Optimize Code.
- Select Generate Debugging Information.
- Deselect Incremental Build.
- Deselect Do not Use Mscor lib.
Additional Settings for Console Applications
- From :
- Set Supported Runtimes to Microsoft .NET Framework v1.1 (default).
Debug Builds for C++/CLI (C++ on .NET)
- In General settings, set Debug Information Format to Program Database(/Zi).
- In Common Language Runtime
- In Code Generation Settings, set Basic Runtime Checks to Default (/RTC1) and Buffer Security Check to No (/GS-).
- In Linker General Settings, set Enable Incremental Linking to No (/INCREMENTAL:NO).
- In Linker Debugging Settings, select Generate Debug Info (/DEBUG).
- In Force IJW Image (/CLRIMAGETYPE:IJW). , select
- In Compiler/Optimization Settings, select Disabled (/Od).
- In Not Using Precompiled Headers. , select
- Be sure to save the generated .pdb file, which is a required dependency.
Preparing .NET Web Applications (ASP.NET)
Veracode requires you to supply all the forms the application uses and all the dependencies in the compiled form, which are the .dll, .exe, and .pdb files. These analysis requirements are different from the deployment requirements because the ASP.NET server can compile these forms dynamically after deployment. If you do not submit precompiled forms, the scan can produce incomplete or incorrect results. See detailed instructions.
Veracode recommends using the Veracode Visual Studio extension to precompile your ASP.NET forms for submission. Seefor more information.
Preparing .NET Applications Using MSBuild
msbuild <solution> /t:Rebuild /tv:14 /p:Configuration=Debug /p:OutputPath=bin
More MSBuild examples are available at https://msdn.microsoft.com/en-us/library/dd393574.aspx.
Packaging Guidance for SharePoint-hosted Add-Ins
Packaging Guidance for Silverlight
- Use the . Veracode recommends that you upload your Silverlight application using the Visual Studio extension. The plugin automatically generates and uploads the required corresponding .dll and .pdb files that Veracode needs to accurately display module names and line numbers.
- Upload an .xap archive. The results from scanning an .xap archive lack the .pdb file that contains debug symbols, which means Veracode is unable to display the source filename and line numbers where the flaws are located.
- In Visual Studio, build your Silverlight-based application package as normal, using C# with a debug configuration. The .pdb files are saved in the target directory along with the compressed .xap file, but they are not in the .xap archive itself.
- Rename the compressed .xap file in the target directory to a .zip file, and extract the files (preferably to a new directory).
- Add the .pdb files in the original target directory to the .zip archive in the new directory.
- Rezip the archive and rename it, using the .xap extension.
You are now ready to upload the .xap file to the Veracode Platform.
While Veracode can analyze .NET applications compiled with optimizations, the line numbers on which flaws are reported may be incorrect. This is because the optimization process restructures the application without updating the debug information that provides the line numbers. For most actionable results with correct line numbers, submit the application with optimization disabled.
For both debug and non-debug builds, Veracode can scan .NET code that has been obfuscated with Dotfuscator Community Edition. Do not use code obfuscation tools other than Dotfuscator Community Edition, as that prevents the static binary scan from succeeding.
Supported .NET Frameworks and Technologies
|ADO.NET||3.0, 3.5, 4.0, 4.5|
|ASP.NET||1.1, 2.0, 3.0, 3.5, 4.0|
|ASP.NET CORE MVC||1.1|
|ASP.NET MVC||3.x, 4.x, 5.x||Includes .NET Web API and Razor.|
|ASP.NET Web API||5.2.3 and earlier|
|LINQ||3.5, 4.0, 4.5|
|Microsoft Enterprise Library|
|.NET Compact Framework||1.0, 2.0, 3.x|
|.NET Micro Framework||2.0, 3.0, 4.x|
|.NET Remoting||1.1, 2.0, 3.0, 3.5, 4.0|
|2.2.3 and earlier|
Oracle Data Provider for .NET (ODP.NET)
|12c Release 4|
Web UI for ASP.NET, version Q2 2013
|Universal Windows Platform||10.x|
|Unity Container||3||Ensure all dependencies (DLL files) are included in the upload of the application.|
|Windows Communication Foundation (WCF) Rich Internet Application (RIA) services|
|Windows Communication Foundation||3.0, 3.5, 4.0|
|Windows Identity Foundation||3.0, 3.5, 4.0, 4.5|
|Windows Phone||7.x, 8.x|
|Windows Phone Silverlight||8.x|