Skip to main content

Quick reference for packaging requirements

Veracode provides compilation and packaging recommendations for popular languages and frameworks.

You can use the Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

For language support specific to Veracode Pipeline Scan, see Pipeline Scan supported languages.

The following list provides a high-level overview of the packaging requirements for some of the most popular supported languages:

Java

Upload JAR, WAR, or EAR files with debug symbols.

.NET

Generate a debug build, zip the build files, include deps.json files, and upload the ZIP file.

  • If the application contains ASP files, publish the website to a directory, zip the published directory, and upload the ZIP file.

  • If the application contains TypeScript files, zip the source TypeScript files and upload them separately.

JavaScript and TypeScript

  • Upload a ZIP file containing your source code. Do not include test code or built distribution files.
  • Remove the node_modules directory if lock files are present.

PHP

Zip the application source files and upload the ZIP file. Include composer.lock in the root of your ZIP archive.

Scala

Upload JAR files with debug symbols.

Groovy

Upload JAR or WAR files with debug symbols.

Kotlin

Upload JAR or WAR files with debug symbols.

Apex

Zip the application source files and upload the ZIP file.

PL/SQL

Zip the application source files and upload the ZIP file.

Classic ASP

Zip the application source files and upload the ZIP file.

Perl

Zip the application source files and upload the ZIP file.

Python

Zip the application source files and upload the ZIP file. Include Pipfile.lock in the root of your ZIP archive.

Android

Generate a debug build and package it as an APK file.

Cordova

Upload a compiled APK or IPA file.

React Native

Zip the application source files and upload the ZIP file, or upload a compiled APK or IPA file.

Ionic

Zip the application source files and upload the ZIP file.

C++ using Red Hat Linux

Upload a debug build compiled with the -gdwarf-2 -g3 -O0 -fno-builtin flags using GCC.

Visual C++

Upload a debug build compiled with the /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL flags.

COBOL

Extract source code files from mainframe systems as UTF-8 encoded text files, zip the extracted files, and upload the ZIP file.

RPG

Extract source code files from mainframe systems as UTF-8 encoded text files, zip the extracted files, and upload the ZIP file.

Visual Basic 6

Zip the application source files and upload the ZIP file.