Packaging C/C++ Applications on Linux and Solaris

Veracode Packaging Requirements

Your C/C++ applications must meet specific compilation requirements before you can submit them for scanning.

See Supported Languages and Platforms for instructions for other platforms.

Required Files

Veracode requires all binary executables, all required libraries, and the complete debug information for the application.

Supported C/C++ on Solaris and Linux Platforms and Compiler Versions

Platform and Architecture Version Compiler
CentOS and Red Hat Enterprise Linux (x86-64) 5–8 GCC 4.1, 4.4, 4.7–4.9, 5.3–5.5, 6.3, 7.3, 8.0–8.3, 9.2, 10, 11
CentOS and Red Hat Enterprise Linux (x86) 3–5 GCC 3.2–3.4, 4.0–4.2, 4.8, 4.9
openSUSE (x86-64) 11 GCC 4.5, 4.8, 4.9
openSUSE (x86) 10, 11 GCC 4.1, 4.5, 4.8, 4.9
Solaris (SPARC64) 8–10 GCC 3.3, 3.4, 4.0–4.2
Solaris (SPARC) 7–10 GCC 3.3, 3.4, 4.0–4.2

Supported Architectures

Veracode supports analyzing C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.

Platform-Specific Debug Settings

Ensure that you compile the binary files with debug settings. Compile code with these options:

-gdwarf-2 -g3 -O0 -fno-builtin

Do not compile code with any of these options:

  • -O
  • -mflat
  • -mno-faster-structs
  • -mimpure-text
  • -mcpu={ultrasparc or ultrasparc3}
  • -mtune={ultrasparc or ultrasparc3}
  • -mlittle-endian
  • -mcmodel
  • -mstack-bias
  • -p, -pg, -fprofile-<any>

Packaging Guidance

  • You must package applications as EXE, TAR, TAR.GZ, TGZ, or SO files.
  • Dwarf debug symbols are mandatory for main executables. Failure to upload debug symbols for Solaris or Linux C/C++ applications prevents the scan from proceeding.
  • Failure to upload dependencies for Solaris or Linux C/C++ applications results in a warning during prescan.

Compatibility Notes

  • GCC 4.4 is only supported on:
    • 64-bit RedHat Enterprise Linux 5 and 6
    • 32-bit and 64-bit openSUSE 11
  • GCC 6 and 7 are only supported on 64-bit operating systems.
  • You must package applications as a TAR file (extensions of TAR, TAR.GZ, TGZ), ZIP file, or submit individual native binaries with the SO extension.