React Native Application Packaging

Veracode Packaging Requirements

Veracode Packaging Requirements
Edition date
Last publication

Your React Native applications must meet specific compilation requirements before you can submit them for scanning.

See Supported Languages and Platforms for instructions for other platforms.

Required Files

Veracode recommends that you submit your React Native application as an archive containing the source code. You can also submit your application as a compiled iOS archive (IPA) or a compiled Android package (APK).

Supported React Native Versions

Technology Platform Version
JavaScript/React Native Android, iOS 0.50–0.6x

Packaging Guidance

Veracode Static Analysis supports three ways of packaging your React Native application. Please select only one to prevent duplicate flaws.

Option 1: (Preferred) Package as Source Code

When uploading a ZIP archive of the source code to Veracode, do not submit files that you built using webpack or other packaging mechanisms. Source files must be UTF-8 encoded.

Option 2: Package as iOS IPA: Modification of the project.pbxproj file

Note:This packaging option requires React Native version 0.50—0.70

  1. Open project.pbxproj file in any editor. This file is typically located in PROJECT_ROOT/ios/PROJECT_NAME.xcodeproj/

  2. Locate section with Bundle React Native code and images description. Under shellScript variable, you see the prepared execution.

  3. Add export to the shellScript variable, right before execution:

Before modification

            shellScript = "set -e\n\nexport NODE_BINARY=node\n../node_modules/react-native/scripts/\n";

After modification

            shellScript = "set -e\n\nexport NODE_BINARY=node\nexport\n../node_modules/react-native/scripts/\n";
  1. Build an archive in either xcode or at the command line.
  2. Verify that main.jsbundle is in the archive and that the is either in the React Native project root or in the archive.

  3. If the is not present in the xcarchive, copy it from project root to the same directory inside the xcarchive, where main.jsbundle is located.

  4. Build the IPA file out of the archive. Then, verify that both main.jsbundle and files are present in the IPA file.

  5. Submit a scan of the IPA file.

Option 3: Package as Android APK

You must modify two components to produce a package for analysis, in this sequence:

  1. Modify the Gradle configuration file build.gradle to define the bundle name:

     project.ext.react = [
          bundleAssetName: "main.jsbundle",
  2. Edit the Android packager script ./node_modules/react-native/react.gradle to add these modifications to the build script:

    def jsBundleMapFile = "${jsBundleFile}.map"
          "--sourcemap-output", jsBundleMapFile

After you make these modifications to the build scripts, use Gradle to create an APK file. Then, upload that file to Veracode for analysis.