React Native Packaging
Your React Native applications must meet specific compilation requirements before you can submit them for scanning.
See Supported Languages and Platforms for instructions for other platforms.
Required Files
Veracode recommends that you submit your React Native application as an archive containing the source code. You can also submit your application as a compiled iOS archive (IPA) or a compiled Android package (APK).
Supported React Native Versions
| Technology | Platform | Version |
|---|---|---|
| JavaScript/React Native | Android, iOS | 0.50–0.7x |
Packaging Guidance
Veracode Static Analysis supports three ways of packaging your React Native application. Please select only one to prevent duplicate flaws.
Option 1: (Preferred) Package as Source Code
When you upload a ZIP archive of the source code to Veracode, follow the packaging guidelines for JavaScript. Do not submit files that you built using webpack or other packaging mechanisms. Include the packaging information for NPM, Yarn, or Bower, but do not include the node_modules directory. The source files must be UTF-8 encoded.
Option 2: Package as iOS IPA: Modification of the project.pbxproj file
This packaging option requires React Native version 0.50—0.7x.
Open
project.pbxprojfile in any editor. This file is typically located inPROJECT_ROOT/ios/PROJECT_NAME.xcodeproj/Locate section with
Bundle React Native code and imagesdescription. UndershellScriptvariable, you see the preparedreact-native-xcode.shexecution.Add
export SOURCEMAP_FILE=main.jsbundle.mapto theshellScriptvariable, right beforereact-native-xcode.shexecution:
Before modification:
shellScript = "set -e\n\nexport NODE_BINARY=node\n../node_modules/react-native/scripts/react-native-xcode.sh\n";
After modification:
shellScript = "set -e\n\nexport NODE_BINARY=node\nexport SOURCEMAP_FILE=main.jsbundle.map\n../node_modules/react-native/scripts/react-native-xcode.sh\n";
Build an archive in either xcode or at the command line.
Verify that
main.jsbundleis in the archive and that themain.jsbundle.mapis either in the React Native project root or in the archive.If the
main.jsbundle.mapis not present in thexcarchive, copy it from project root to the same directory inside thexcarchive, wheremain.jsbundleis located.Build the IPA file out of the archive. Then, verify that both
main.jsbundleandmain.jsbundle.mapfiles are present in the IPA file.Submit a scan of the IPA file.
Option 3: Package as Android APK
- Disable hermes by setting
hermesEnabled=falseinandroid/gradle.properties. - Open
PROJECT_ROOT/android/app/build.gradleand, in thereactsection, add the following:debuggableVariants = []bundleAssetName = "index.jsbundle"
- Run
./gradlew assembleDebugin thePROJECT_ROOT/androiddirectory. - Use any suitable archiver available on your platform to add the bundle and the map into the APK archive. The
APK_FILE_ROOT/assetsdirectory should now includeindex.jsbundleandindex.jsbundle.map. Locate those files by, for example, runningfind . -type f -name "index.jsbundle"andfind . -type f -name "index.jsbundle.map"in thePROJECT_ROOTdirectory. By default, those files reside in:PROJECT_ROOT/android/app/build/generated/assets/createBundleDebugJsAndAssets/index.jsbundlePROJECT_ROOT/android/app/build/generated/sourcemaps/react/debug/index.jsbundle.map
Option 4: Legacy - Package as Android APK for React Native version before 0.72.0
You must modify two components to produce a package for analysis, in this sequence:
Modify the Gradle configuration file
build.gradleto define the bundle name:project.ext.react = [
bundleAssetName: "main.jsbundle",
]Edit the Android packager script
./node_modules/react-native/react.gradleto add these modifications to the build script:def jsBundleMapFile = "${jsBundleFile}.map"
"--sourcemap-output", jsBundleMapFile
After you make these modifications to the build scripts, use Gradle to create an APK file. Then, upload that file to Veracode for analysis.