Use the Custom Workflow


Edition date
Last publication

In the extension menu, select Advanced Options > Custom Workflow.

Next, select Build + Package to see what you are uploading to the Veracode Platform if you do not make many changes.

After Build + Package completes, open the temporary Veracode build output folder, which defaults to {SolutionDirectory}/.veracode/veracode-tmp/binary.

You can see a number of class library folders (e.g. ApplicationCore – almost always duplicated), a general docker-compose folder (again, with duplicate artifacts), and test class library folders, which you do not want to upload to Veracode. After analyzing the directories, it was decided that only PublicApi and Web were required. While BlazorAdmin is also a website, this is a monolithic application and BlazorAdmin is also contained in the main Web directory. Note that this application is the Microsoft .NET Core reference application, eShopOnWeb.

We're going to be removing the following directories before uploading to Veracode:

  • ApplicationCore: already in Web
  • BlazorAdmin: already in Web
  • BlazorShared: already in Web
  • docker-compose: redundant
  • FunctionalTests: test library
  • Infrastructure: already in Web
  • IntegrationTests: test library
  • UnitTests: test library

Next, if you open the Web folder and scroll to the very bottom, you see that in addition to the Web.dll and Web.pdb files, a Web.exe file is also generated. The Web.exe is a “self-contained executable” created during the .NET Core compilation process and should be removed before uploading to Veracode.

Go back to Visual Studio and open the veracode-build-microsoft.json file. Find the canRemoveExecutables property and set it to true. Default is false. This removes the Web.exe file from the files to be uploaded.

Open the file and find the VeracodeCleanBinaries target.

This includes a placeholder example that we're going to uncomment and copy/paste for each directory you want to remove.

<RemoveDir Directories="$(VeracodeTemporaryBuildPath)ApplicationCore" />
<RemoveDir Directories="$(VeracodeTemporaryBuildPath)OrchardCore.Benchmarks" />
<RemoveDir Directories="$(VeracodeTemporaryBuildPath)OrchardCore.Benchmarks" />

The final VeracodeCleanBinaries target looks like this:

Next, if you have JavaScript to include in the artifacts you want to upload to Veracode, look for the VeracodePackageJavaScript target.

Uncomment the code and replace the WebSite/Scripts directory with the name of your parent directory that contains the JavaScript and any child directories with JavaScript. There is one line to include the JavaScript and one line to exclude unnecessary JavaScript (e.g. min.js). This is an example for eShopOnWeb:

This is an example from another application (WebGoat.Net) that includes two parent directories (repeat the pattern for as many parent directories you need to include).

After updating the script, you can run Build + Package again and sanity check your output. You see the following in the root directory of the artifacts you want to upload:

You now see that in addition to the original binary directory, there is a JavaScript directory. In the binary directory, only two directories are included in the upload to Veracode.

Now open the Web directory to confirm the Web.exe file has been removed, as shown in this example.

In the JavaScript directory, you see two directories containing JavaScript. One includes what appears to be third party JavaScript libraries (the lib directory) and you might decide to remove those. You can ignore these directories.

After completing the one-time setup, 99% of the time you can select Run Scan and all build/packaging changes take effect for anyone that checks out this solution from source control.