C/C++ on Windows packaging
Your C/C++ applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
Automated packaging
Auto-packaging automates the packaging process for C/C++ Windows projects.
Required files
Veracode requires all binary executables, all required libraries, and the complete debug information for the application.
Supported C/C++ on Windows platforms and compiler versions
| Language | Platform | Version | Compiler |
|---|---|---|---|
| C/C++ (32-bit/64-bit) | Windows | Windows Desktop Environments:
|
|
Supported architectures
Veracode supports analyzing Windows C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing Windows C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.
Platform-specific debug settings
You can automate these compilation settings by using the Veracode Visual Studio Extension.
Ensure that you compile the binary files with these settings:
-
Project Properties > Configuration Properties > C/C++ > General
Set Debug Information Format to Program Database using the
/Zioption. -
Project Properties > Configuration Properties > C/C++ > Optimization
When possible, set Optimization to Disabled using the
/Odoption. -
Project Properties > Configuration Properties > C/C++ > Code Generation
- Set Basic Runtime Checks to Default. On the command line, ensure that
/RTCis not set. - Set Runtime Library to Multi-threaded Debug or Multi-threaded Debug DLL using the
/MTd,/MDd, or/LDdoptions. - Set Buffer Security Check to No using the
/GS-option.
- Set Basic Runtime Checks to Default. On the command line, ensure that
-
Project Properties > Configuration Properties > Linker > General
Set Enable Incremental Linking to No using the
/INCREMENTAL:NOoptions. -
Project Properties > Configuration Properties > Linker > Debugging
Choose Generate Debug Information optimized for sharing and publishing using the
/DEBUG:FULLoption. -
Retain the generated PDB file. It is a required dependency.
Building and linking applications using the command line
If you are building a Visual C++ application from the command line, Veracode requires that the /Zi, /Od and /GS- flags are set, the /RTC flag is not set, and a debug run-time library is selected, if you are explicitly specifying the /M or /L option. For example, {{ /MDd, /MLd, /MTd, /LDd}} when you compile. You must set the /INCREMENTAL:NO and /DEBUG flags when linking the application.
This example shows the command-line flags required to build an application for Veracode analysis.
cl.exe /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL
Optimized code
Although Veracode can analyze some Windows C/C++ binaries compiled with optimization, there could be some reduction of results quality. Specifically, Veracode strongly recommends these settings to analyze Windows binaries compiled with optimization:
- MSVC7: analysis of optimized binaries built with MSVC 7 and earlier is unsupported
- MSVC8: disable Frame Pointer Omission optimization with the
/Oy-command-line flag - MSVC9: no specific issues
C/C++ Windows application profile
- You must package applications as EXE, DLL, or ZIP files.
- Debug symbols are mandatory for main executables. Veracode strongly recommends that you also provide debug symbols for dependent libraries, when possible, to achieve higher-quality scan results.
- Failure to upload debug symbols for Windows C/C++ applications prevents the scan from proceeding.
- Failure to upload dependencies for Windows C/C++ applications results in a warning during prescan.