In the extension menu, select Advanced Options > Custom Workflow.
Next, select Build + Package to see what you are uploading to the Veracode Platform if you do not make many changes.
After Build + Package completes, open the temporary Veracode build output folder, which defaults to
You can see a number of class library folders (e.g.
ApplicationCore – almost always duplicated), a general
docker-compose folder (again, with duplicate artifacts), and test class library folders, which you do not want to upload to Veracode. After analyzing the directories, it was decided that only
Web were required. While
BlazorAdmin is also a website, this is a monolithic application and BlazorAdmin is also contained in the main Web directory. Note that this application is the Microsoft .NET Core reference application, eShopOnWeb.
We're going to be removing the following directories before uploading to Veracode:
ApplicationCore: already in
BlazorAdmin: already in
BlazorShared: already in
FunctionalTests: test library
Infrastructure: already in
IntegrationTests: test library
UnitTests: test library
Next, if you open the
Web folder and scroll to the very bottom, you see that in addition to the
Web.pdb files, a
Web.exe file is also generated. The
Web.exe is a “self-contained executable” created during the .NET Core compilation process and should be removed before uploading to Veracode.
Go back to Visual Studio and open the
veracode-build-microsoft.json file. Find the
canRemoveExecutables property and set it to
true. Default is
false. This removes the
Web.exe file from the files to be uploaded.
Veracode.Package.build file and find the
This includes a placeholder example that we're going to uncomment and copy/paste for each directory you want to remove.
<RemoveDir Directories="$(VeracodeTemporaryBuildPath)ApplicationCore" /> <RemoveDir Directories="$(VeracodeTemporaryBuildPath)OrchardCore.Benchmarks" /> <RemoveDir Directories="$(VeracodeTemporaryBuildPath)OrchardCore.Benchmarks" />
VeracodeCleanBinaries target looks like this:
Uncomment the code and replace the
min.js). This is an example for eShopOnWeb:
This is an example from another application (WebGoat.Net) that includes two parent directories (repeat the pattern for as many parent directories you need to include).
After updating the
Veracode.Package.build script, you can run Build + Package again and sanity check your output. You see the following in the root directory of the artifacts you want to upload:
You now see that in addition to the original
binary directory, only two directories are included in the upload to Veracode.
Now open the
Web directory to confirm the
Web.exe file has been removed, as shown in this example.
lib directory) and you might decide to remove those. You can ignore these directories.
After completing the one-time setup, 99% of the time you can select Run Scan and all build/packaging changes take effect for anyone that checks out this solution from source control.