Static for Visual Studio 2015 and 2017

note

This extension only supports Static Analysis scans. To run Static Analysis scans and use Veracode Fix to apply suggested code patches to flaws, we recommend you use Veracode Scan for Visual Studio.

Veracode Static for Visual Studio is an extension for Microsoft Visual Studio. You use the extension to assist with compiling your applications into binaries, uploading the binaries to Veracode for static analysis, and review scan results from within the IDE. You must upload any JavaScript code separately, as described in the compilation instructions.

Supported versions

Veracode has tested the following versions, but the integration might work with other versions.

Visual Studio 2015–2017

Supported languages and frameworks

Veracode has tested the following versions, but the integration might work with other versions.

• .NET Core 2.0 requires Visual Studio 2017
• .NET Framework 3.5
• .NET Framework 4.0–4.7. Visual Studio 2017 only supports .NET 4.5.2–4.7

For more details, see the packaging requirements.

Prerequisites

Before you can use Veracode Static for Visual Studio, you must have:

• Installed a supported version of Visual Studio and ensured your code meets the packaging requirements.

• Stored your API credentials in an API credentials file on Windows.

• One of these account types:

  • A user account with these roles:

    • Creator or Security Lead role to create builds of your applications with the necessary Veracode settings
    • Submitter role to upload scans to Veracode
    • Sandbox User role to create sandboxes to use with the extension
    • Reviewer role to check scan completion, propose mitigations, and import results to Visual Studio
    • Mitigation Approver role to approve mitigations

  • An API service account with these API roles:

    • Upload and Scan API to create application profiles, create sandboxes, and upload and scan applications
    • Upload API - Submit Only to submit scans
    • Mitigation API to mitigate flaws found in applications
    • Results API to download, import, and view Veracode results

    If you do not have an account with these roles, you receive access denial errors.

• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The extension uses these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.

• If you use a proxy to access Veracode, ensure you have configured a proxy in your IDE. You cannot configure a proxy in the Veracode extension. For more information, see the Microsoft documentation.

• If you are using Visual Studio 2019 with .NET Framework version 4.8, you must disable an option in Visual Studio to ensure scan results display correctly in the IDE.

Install the Visual Studio extension

You can install Veracode Static for Visual Studio using a standalone VSIX package file.

If you have Visual Studio 2019 or 2022, see Veracode Static for Visual Studio 2019 and 2022 or Veracode Scan for Visual Studio.

Before you begin:

Ensure you meet the prerequisites.

If you can access the Visual Studio Marketplace from Visual Studio, you can download and install Veracode Static for Visual Studio from within the IDE. For example, in Visual Studio 2019, you can select Extensions > Manage Extensions. Then, search for Veracode to see the list of Veracode extensions available for your version of Visual Studio.

To complete this task:

1. Exit Visual Studio.
2. Go to the Microsoft Visual Studio Marketplace.
3. Search for Veracode.
4. From the Version dropdown menu, select your version of Visual Studio.
5. In the search results, select the link for Veracode Static for Visual Studio.
6. Select Download to download the VSIX package file.
7. Double-click the VSIX package file and follow the on-screen instructions to install the extension.
8. To verify that the installation completed successfully, open Visual Studio and locate the Veracode Static menu.

By default, Veracode Static for Visual Studio automatically checks for updates. To ensure you configure the extension to update automatically, in Visual Studio, select the Automatically update this extension checkbox. If you want to update the extension manually, clear the checkbox and see the Visual Studio documentation for instructions on performing a manual update.

Configure the Visual Studio extension

Configure Veracode Static for Visual Studio to enable access to Veracode and, optionally, configure precompilation settings.

Before you begin:

• Ensure you meet the prerequisites.
• You have installed the extension.

To complete this task:

1. In Visual Studio, select Extensions > Veracode Static > Options.
2. Select a tab to view the configuration settings:
   • Credentials: explains that you are required to use an API credentials file. You can no longer use username and password credentials. If you have already configured this file, the extension detects and uses it automatically.
   • Proxy: optionally, configure proxy settings for the extension.
   • Precompilation: configure precompilation settings that the extension ses during builds.
   • Detailed Reports: optionally, select to save the detailed report XML file to your local computer and the location for the report.

Configure proxy settings

Configure Veracode Static for Visual Studio to access Veracode through a proxy.

Before you begin:

• Ensure you meet the prerequisites.
• Ensure you have installed the extension.
• Ensure you can configure the extension to use the correct HTTPS proxy settings for accessing Veracode. If you are unsure about your proxy settings, contact your network IT team.

To complete this task:

1. In Visual Studio, select Extensions > Veracode Static > Options > Proxy.
2. Select Connect using the default HTTPS proxy settings if you want to use the HTTPS proxy settings that you previously configured within your IDE. If you want to specify different proxy settings, complete these steps.
3. Select Connect using the following proxy settings.
4. Select Edit.
5. Enter the proxy settings. Optionally, select the Requires Authentication option.
6. Select OK.
7. In the Preferences window, select OK.

Precompilation options

In the Veracode Static for Visual Studio Options window, you can use the settings on the Precompilation tab to configure MSBuild and select a legacy precompilation method. You can usually accept the default values.

Precompilation and Publish Target Directory

Specifies the location of the precompilation target directory in which to publish the build artifacts. The extension saves this value to the VeracodePrecompileProfile.pubxml file, which it creates during the precompilation process.

Publish on build with Veracode settings

Select this checkbox to invoke the precompile or publish process after a build or rebuild.

Use legacy precompilation method

• Select this checkbox to use the legacy method for precompiling and publishing, instead of the MSBuild method configured under the ASP.NET Publish section in the window. The MSBuild settings are saved. You can clear this checkbox to return to the MSBuild precompilation method.
• Project-less templates, such as web forms applications, require that the Use legacy precompilation method checkbox is selected. The new functionality relies directly on MSBuild, which does not fully support legacy project-less templates.

MSBuild Directory

If MSBuild is not located in one of the standard MSBuild paths, you see the preferences window with an empty MSBuild Directory field. See Troubleshooting precompilation errors if you have problems.

• In general, you can use a later version of MSBuild on projects created with older versions of Visual Studio.
• In the MSBuild Directory field, enter the directory path of the MSBuild version you want to use.

Default MSBuild Arguments

This line shows the default MSBuild arguments:

${SolutionName} /p:DeployOnBuild=true /p:PublishProfile=VeracodePrecompileProfile

At runtime, the full path to the solution currently open in the Visual Studio solution explorer replaces the SolutionName variable. The other two parameters are required for MSBuild to precompile the solution and, more specifically, each web project in the solution.

The last parameter, /p:PublishProfile=VeracodePrecompileProfile, instructs MSBuild to find a publish profile named VeracodePrecompileProfile.pubxml in the default publish profiles directory. For example, WebProjectRoot/Properties/PublishProfiles.

By default, if the extension does not modify the /p:PublishProfile property or find the VeracodePrecompileProfile.pubxml file in the default publish profiles directory, it always creates the VeracodePrecompileProfile.pubxml file. If you want to place this file in a different location, pass the full path within quotes to the location of the file: /p:PublishProfile="C:\PublishProfiles\VeracodePrecompileProfile.pubxml"

The custom directory location and publish profile file must exist or an error occurs. If you modify the /p:PublishProfile property, the extension no longer automatically creates the VeracodePrecompileProfile.pubxml file. You can select Restore to Default to revert to the original behavior.

If you encounter problems and want more detailed information about MSBuild activity, you can add the logging parameter. For example, you must change this path to an appropriate logging directory:

/flp:verbosity=detailed;logfile=C:\Logs\VeracodeMsBuildLog-${LogDateTimeStamp}.log

Valid verbosity values are: diagnostic, detailed, normal, minimal, and quiet.

note

The diagnostic value can create extremely large log files depending on the complexity of your solution. We recommend starting with a less-verbose value.

You must ensure the directory structure referenced in the logfile attribute exists. The filename is automatically created, but you receive an error if the directories do not already exist. Also, verify there is a space between the previous parameter and this parameter.

The LogDateTimeStamp variable at the end of the path is automatically replaced with a date and time stamp. Each time you publish it creates a new file as opposed to appending to an existing file.

Build your application

Create a build of your application and upload the application to Veracode for analysis.

Before you begin:

Ensure you meet the prerequisites).

When you create a new build of your application, the extension creates the build with the necessary compilation and linker settings as outlined in packaging requirements.

To complete this task:

1. Open your project solution in Visual Studio.

2. Select Extensions > Veracode Static > Build with Veracode Settings.

   This action temporarily changes the compilation and linker settings of the source build configuration in preparation for uploading to Veracode. By default, the extension builds your code using the active build configuration, then precompiles your project automatically.

Precompile web projects

You can choose to manually precompile your builds when they complete if you do not want them to precompile automatically, which is the default.

Before you begin:

• Ensure you meet the prerequisites.
• To precompile web projects that target a 64-bit architecture, you must use the 64-bit version of Windows.
• Before you can successfully upload your binaries, you must correct all compilation and precompilation errors. Veracode cannot upload and scan an application that does not build successfully.

Precompilation translates ASP.NET views/pages and controls into DLL files with debug information for Veracode to analyze. It stores the precompilation output in $(SolutionDir)\PrecompiledWeb. Defaults to Automatic Precompilation.

To complete this task:

1. In Visual Studio, select Extensions > Veracode Static > Options > Precompilation.
2. Clear the Publish on build with Veracode settings checkbox to disable automatic precompilation.
3. Select Veracode Static > Publish/Precompile Web Projects to start precompiling your web project.
4. To issue a clean solution command that deletes all artifacts and creates a new build, select Veracode Static > Rebuild With Veracode Settings.

Scan your project

After using Veracode Static for Visual Studio to create a Veracode build of your application, you can upload the build to a new or existing application profile in your Veracode portfolio.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. In Visual Studio, select Extensions > Veracode Static > Upload and Scan.

2. If prompted, enter your API credentials. Select the checkbox to store your credentials so that you only have to enter them once.

3. In the Upload and Scan window, from the Application dropdown menu, select the application for which you want to upload binaries. To add an application, select Add Application and enter the required information such as policy control and organization information.

4. Complete all the fields in the Add Application window and select Save. In the Upload and Scan window, the application you just added is preselected and the Create Scan window opens.

5. Select Create Scan.

6. In the Create Scan window, enter the name for the new scan and, optionally, the lifecycle stage.

7. Select Create.

8. In the Solution Files pane, select the solution files you want to upload.

   note

   For web applications built on ASP.NET 3.0 Core and later, there is an executable that duplicates the artifacts included in the upload to the Veracode Platform. In your web application project, you must deselect the duplicate executable to exclude it from the upload, or you see an error and the Veracode Platform initiates a manual module selection.

9. If necessary, select any files in the Additional Files section that you also want to scan. The files can include additional application components that are not built in the solution, such as compiled files from another solution or components built in another language.

10. Select Upload.

note

You cannot upload binaries if Veracode is currently scanning an application. After the scan results are available, you can add more files.

Veracode expects the name of the uploaded file to be the same between scans of the same application. However, because filenames can change between builds of the same code, you can change the filename before uploading to keep the name consistent. If Veracode indicates that the filenames are not the same, select the New Filename column to rename the file, so that it matches the previous name for the same file.

11. When prompted to confirm, select Yes to continue the upload.
12. Select Yes to go directly to the Veracode prescan process after the upload completes. If you do not want the full scan to continue automatically, select No.
13. Select Begin Prescan at the top of the Upload Files table.

Files you have previously uploaded to the selected scan already appear in the Uploaded Files section.

14. When the prescan is complete, select View Prescan Results at the top of the Upload Files table.

Veracode notifies you when your scan is complete and results are available.

15. At the prompt, select OK to start the prescan of the files when the upload has completed. If you select No, you must select the Start Prescan link on the Upload and Scan page.

After the prescan verification completes successfully, the scan begins automatically.

Results:

If there is an error during prescan:

1. In the Upload and Scan window, select View Prescan Results.
2. In the Prescan Verification Results window, select the files you want to scan.
3. Select the modules that are independent components, which you need to scan in their entirety. Leave the checkboxes for third-party components or dependencies cleared.
4. Select Yes to start the scan.

If you encounter an error when uploading a build, in Visual Studio, in the Options window, select Source Control > Environment. Then, verify that Saving and Editing are set to Check out automatically.

Scan in a sandbox

You can create a development sandbox into which you upload your application files from your IDE. You can then scan your application from the sandbox.

Before you begin:

Ensure you meet the prerequisites).

To complete this task:

1. In your IDE, select Extensions > Veracode > Upload and Scan.

2. If prompted, enter your API credentials. Select Store username and password so that you only have to enter your credentials one time.

3. From the Application dropdown menu, select an application.

4. In the Scan Type field, select Sandbox Scan.

5. Select Create Sandbox and enter a name for the sandbox.

   note

   If you do not see the Create Sandbox button, contact Veracode Technical Support to enable this feature for your account.

6. In the Workspace Files table, select the browse icon to select the files to upload from your current projects. Select Add to select any files not associated with a current project.

7. Select Upload. Then, select Yes to confirm that you want to proceed with the upload.

8. Select Yes to go directly to the Veracode prescan process after the upload completes. If you do not want the full scan to continue automatically, select No.

9. Select Begin Prescan at the top of the Upload Files table.

10. After the prescan completes, select View Prescan Results to review the results.

Working with scan results

You can use Veracode Static for Visual Studio with the Results API to download and review scan results in Visual Studio. You can also download scan results from the Veracode Platform. Then, you can review and mitigate any discovered flaws from within Visual Studio.

Configure Visual Studio 2019 to display scan results

If you are using Visual Studio 2019 with .NET Framework version 4.8, you must clear an option in Visual Studio to ensure the downloaded scan results display in the Results window. Otherwise, the Results window might be empty.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. In Visual Studio, open the Options window.
2. Clear the Optimize rendering for screens with different pixel densities checkbox.
3. Restart Visual Studio.

Import scan results

You can download and import scan results from the Veracode Platform and view them in your IDE. You can also download and import results with the Results API.

Before you begin:

• Ensure you meet the prerequisites.
• For Visual Studio 2019, you have configured a rendering option. If you do not configure this option, the scan results might not display in Visual Studio.

To complete this task:

1. In the Veracode Platform, from the left navigation menu, select Results.

2. Select Download Report and select Detailed XML Export (XML) from the dropdown menu.

3. Select Download. The report downloads as a ZIP file with the XML document and the associated XSD schema.

4. In Visual Studio, select Veracode Static > View Results.

5. Select Browse. Then, select the XML results file to open.

6. Select Open.

   The scan results open in the Results window. In the Results window you can perform these tasks to review the results while working in your development project:

   • Filter or search for discovered flaws.
   • Double-click a flaw to open the source file, if the solution is open, and place your cursor on the line that contains the flaw.
   • Right-click a flaw and select to view the related call stacks, mitigations, and other details.

Import scan results using the Results API

You can download and import Veracode results from within your IDE using the Results API. You can also download and import the results from the Veracode Platform.

Before you begin:

• Ensure you meet the prerequisites.
• Your account must have the Results API role.

To complete this task:

1. Select Extensions > Veracode > Download Results. If the Veracode menu is not visible, ensure you have correctly installed the plugin.

2. If prompted, enter your API credentials. Optionally, select the Store API and key checkbox, so that you only have to enter your credentials one time.

3. Select Submit.

4. In the Download Results window, select the required application, scan type, and specific scan. Then, select Download.

   The results download from Veracode into the Results view. By default, Veracode saves the results file to the Downloads directory on your local computer. For example, on Windows: C:\Users\{username}\Downloads.

5. Select Apply and OK.

Mitigate findings

You can mitigate static findings, including approving and rejecting existing mitigations, from within your IDE.

Before you begin:

• Ensure you meet the prerequisites.
• Your account must have the Mitigation API role.
• Ensure you have imported the scan results.

From within your IDE, you can comment on a flaw and set the mitigation status as:

• Potential false positive
• Design
• OS environment
• Network environment
• Mitigate by design

You can also accept or reject a flaw already flagged as mitigated.

To complete this task:

1. In your IDE, select Extensions > Veracode > View Results.

2. From the Results window, in the Flaw ID column, select the checkbox next to one or more flaws that you want to mitigate.

3. From the Actions dropdown menu, select a mitigation action. Then, select Mitigate.

4. In the Flaw Mitigation Request window, enter your comments.

5. Select Continue.

6. If you see an access denied error message, check for these issues, resolve them, and try to mitigate again:

   • There is a policy or sandbox scan in progress for the application.
   • You are not working with the most recent scan results.
   • You do not have the Mitigation API role.
   • Another user has locked the flaw in the Veracode Platform.

MSBuild paths

This section lists the default MSBuild paths for Visual Studio and is intended for informational purposes only.

MSBuild paths for Visual Studio 2019

For Visual Studio 2019, the first two paths with a \Professional directory differ based on your edition of Visual Studio. As appropriate, you can replace \Professional with \Enterprise or \Community. The Visual Studio Preview installation also changes the path based on Enterprise, Professional, or Community.

These paths apply to the legacy and new versions of Veracode Static for Visual Studio, both of which support Visual Studio 2019.

Standard Visual Studio paths

• C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\MSBuild\Current\Bin\
• C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\MSBuild\Current\Bin\amd64\

Visual Studio preview paths

• C:\Program Files (x86)\Microsoft Visual Studio\2019\Preview\MSBuild\Current\Bin
• C:\Program Files (x86)\Microsoft Visual Studio\2019\Preview\MSBuild\Current\Bin\amd64\

MSBuild tools paths

• C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Current\Bin\
• C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Current\Bin\amd64\

MSBuild paths for Visual Studio 2017

For Visual Studio 2017, the first two paths with a \Professional directory differ based on your edition of Visual Studio. As appropriate, you can replace \Professional with \Enterprise or \Community. The Visual Studio Preview installation also changes the path based on Enterprise, Professional, or Community.

MSBuild tools paths

• C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\
• C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\amd64\

Standard Visual Studio paths

• C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\
• C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\amd64\

Visual Studio preview paths

C:\Program Files (x86)\Microsoft Visual Studio\Preview\Professional\MSBuild\15.0\Bin

MSBuild paths for Visual Studio 2015

You can install Visual Studio 2015 and later in a custom path. You need to add the custom path to MSBuild, based on the listed path patterns. A custom path follows the same patterns shown here, starting after the \Program Files (x86) directory.

• C:\Program Files (x86)\MSBuild\14.0\Bin\
• C:\Program Files (x86)\MSBuild\14.0\Bin\amd64\