YOU ARE HERE: HOMEVeracode Compilation Instructions for .NET Languages

Veracode Compilation Instructions for .NET Languages

This document is for customer licensed Veracode SAST. Last check and update 11-Jan-2018.

Supported .NET Languages and Technologies

Language Platform Version Compiler Architecture
C#, VB.NET .NET/Windows, .NET Core, .NET Portable Class Library .NET 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, 4.6, 4.7

Core 1.0, 1.1 (C# only)

Visual Studio .NET (2002), 2003, 2005, 2008, 2010, 2012, 2013, 2015, 2017 Mono 4.x x86, x64
C/C++ (C++/CLI) .NET 2.0, 3.0, 3.5, 4.0, 4.5, 4.6 (CLR 2.0) Visual Studio 2005, 2008, 2010, 2012, 2013, 2015 x86, x64

Packaging Guidance for .NET

Because Veracode analyzes compiled .NET bytecode, it may be possible for Veracode to discover results in applications written in other .NET languages, but these are not tested or supported. In particular, .NET applications that target the Dynamic Language Runtime are not supported.

Applications must be packaged as .exe, .dll, or .zip files.

Veracode cannot analyze a 32-bit module that has 64-bit dependencies, or vice versa. If your application has this architecture, rebuild it to ensure that the parent module and its dependencies are all either 32-bit or 64-bit, but not mixed.

Note: For web applications, Veracode requires the precompiled forms for your application. See below, Preparing .NET Web Applications for more guidance.

Preparing Your .NET Application Using the Visual Studio Extension

Veracode offers a Visual Studio extension that can compile .NET applications (2.0 or later). Veracode recommends you use the extension to easily submit the precompiled forms that Veracode needs to successfully complete the scan. Use the instructions in the Integrating Veracode into Visual Studio Help Center page. If you are not using the Veracode Visual Studio extension, you should set the debug symbols as described here:

Debug Builds For .NET 2.0 and Later

If you are submitting a debug build, please make sure the binary files are compiled with the following settings:

  1. From Build > Configuration Manager, select Debug.
  2. Set Configuration to Debug.

    Please refer to MSDN for setting for specific versions of Visual Studio for the Debug settings.

Debug Builds for .NET 1.1

If you are submitting a debug build, please make sure the binary files are compiled with the following settings:

  1. From Project Properties > Configuration Properties > Build > Code Generation:
    1. Set Conditional Compilation Constants to DEBUG.
    2. Deselect Optimize Code.
  2. From Project Properties > Configuration Properties > Build > Outputs:
    1. Select Generate Debugging Information.
  3. From Project Properties > Configuration Properties > Advanced > General:
    1. Deselect Incremental Build.
    2. Deselect Do not Use Mscor lib.

Additional Settings for Console Applications

  1. From Project Properties > Configuration Properties > General > Application:
  2. Set Supported Runtimes to Microsoft .NET Framework v1.1 (default).

Debug Builds for C++/CLI (C++ on .NET)

  1. In General settings, set Debug Information Format to Program Database(/Zi).
  2. In General > Common Language Runtime Support, set Common Language Runtime

    Support (/clr).

  3. In Code Generation Settings, set Basic Runtime Checks to Default (/RTC1) and Buffer Security Check to No (/GS-).
  4. In Linker General Settings, set Enable Incremental Linking to No (/INCREMENTAL:NO).
  5. In Linker Debugging Settings, select Generate Debug Info (/DEBUG).
  6. In Linker > Advanced > CLR Image Type, select Force IJW Image (/CLRIMAGETYPE:IJW).
  7. In Compiler/Optimization Settings, select Disabled (/Od).
  8. In C/C++ > Precompiled Headers > Create/Use Precompiled Headers, select Not Using Precompiled Headers.
  9. Be sure to save the generated .pdb file, which is a required dependency.

Preparing .NET Web Applications (ASP.NET)

Veracode requires you to supply all the forms the application uses and all the dependencies in the compiled form, which are the .dll, .exe, and .pdb files. These analysis requirements are different from the deployment requirements because the ASP.NET server can compile these forms dynamically after deployment. If you do not submit precompiled forms, the scan can produce incomplete or incorrect results. See detailed instructions here.

Veracode recommends using the Veracode Visual Studio extension to precompile your ASP.NET forms for submission. See here for more information.

Preparing .NET Applications Using MSBuild

You can automate the preparation of .NET applications using MSBuild if there are no web forms in the application. As a post-build action, you can use the following example (Visual Studio 2015):

msbuild <solution> /t:Rebuild /tv:14

More MSBuild examples are available at

Packaging Guidance for SharePoint-hosted Add-Ins

When you submit SharePoint-hosted add-ins for analysis, extract the JavaScript and CSS files from the WSP file created as part of the SharePoint build process, and submit the JavaScript and CSS files as a separate ZIP file.

Note: Veracode does not support analysis of uncompiled ASPX files.

Packaging Guidance for Silverlight

There are two possible ways to scan a Silverlight application:

  • Use the Veracode Visual Studio plugin. Veracode recommends that you upload your Silverlight application using the Visual Studio extension. The plugin automatically generates and uploads the required corresponding .dll and .pdb files that Veracode needs to accurately display module names and line numbers.
  • Upload an .xap archive. The results from scanning an .xap archive lack the .pdb file that contains debug symbols, which means Veracode is unable to display the source filename and line numbers where the flaws are located.
You can use Visual Studio to manually find and add the .pdb files to the archive. To manually repackage the archive:

  1. In Visual Studio, build your Silverlight-based application package as normal, using C# with a debug configuration. The .pdb files are saved in the target directory along with the compressed .xap file, but they are not in the .xap archive itself.
  2. Rename the compressed .xap file in the target directory to a .zip file, and extract the files (preferably to a new directory).
  3. Add the .pdb files in the original target directory to the .zip archive in the new directory.
  4. Rezip the archive and rename it, using the .xap extension.

    You are now ready to upload the .xap file to the Veracode Platform.

Optimized Code

While Veracode can analyze .NET applications compiled with optimizations, the line numbers on which flaws are reported may be incorrect. This is because the optimization process restructures the application without updating the debug information that provides the line numbers. For most actionable results with correct line numbers, submit the application with optimization disabled.


For both debug and non-debug builds, Veracode can scan .NET code that has been obfuscated with Dotfuscator Community Edition. Do not use code obfuscation tools other than Dotfuscator Community Edition, as that prevents the static binary scan from succeeding.

Supported .NET Frameworks and Technologies

Framework/Technology Supported Version(s) Notes
ADO.NET 3.0, 3.5, 4.0, 4.5
ASP.NET 1.1, 2.0, 3.0, 3.5, 4.0
ASP.NET MVC 3.x, 4.x, 5.x Includes .NET Web API and Razor.
ASP.NET Web API 5.2.3 and earlier
Entity 4.x-6.x
Log4Net 1.2.x
LINQ 3.5, 4.0, 4.5
Microsoft Enterprise Library
.NET Compact Framework 1.0, 2.0, 3.x
.NET Micro Framework 2.0, 3.0, 4.x
.NET Remoting 1.1, 2.0, 3.0, 3.5, 4.0
Newtonsoft Json.NET 6.0


2.2.3 and earlier

Oracle Data Provider for .NET (ODP.NET)

12c Release 4
SharePoint 2010-2013
Silverlight 1-5

Web UI for ASP.NET, version Q2 2013

Universal Windows Platform 10.x
Unity Container 3 Ensure all dependencies (DLL files) are included in the upload of the application.
Windows Communication Foundation (WCF) Rich Internet Application (RIA) services
Windows Communication Foundation 3.0, 3.5, 4.0
Windows Identity Foundation 3.0, 3.5, 4.0, 4.5
Windows Phone 7.x, 8.x
Windows Phone Silverlight 8.x