C/C++ on Windows packaging
Your C/C++ applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
Automated packaging
Auto-packaging automates the packaging process for C/C++ Windows projects.
Required files
Veracode requires all binary executables, all required libraries, and the complete debug information for the application.
Supported C/C++ on Windows architecture and platforms
| Language | Platform |
|---|---|
| C/C++ (32-bit or 64-bit) | Windows XP Windows 7 Windows 10 Windows Server 2003 Windows Server 2008 R2 Windows Server 2016 Windows Server 2019 |
Supported C/C++ on Windows toolsets and compilers
| IDE | MSVC toolset | Microsoft compiler |
|---|---|---|
| Visual Studio .NET 2002 | 7.0 | 1300 |
| Visual Studio .NET 2003 | 7.1 | 1310 |
| Visual Studio 2005 | 8.0 | 1400 |
| Visual Studio 2008 | 9.0 | 1500 |
| Visual Studio 2010 | 10.0 | 1600 |
| Visual Studio 2012 | 11.0 | 1700 |
| Visual Studio 2013 | 12.0 | 1800 |
| Visual Studio 2015 | 14.0 | 1900 |
| Visual Studio 2017 | 14.1.x | 1910 |
| Visual Studio 2019 | 14.2.x | 1920 - 1929 |
| Visual Studio 2022 | 14.3.x-14.4.x | 1930 - 1940 |
Supported architectures
Veracode supports analyzing Windows C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing Windows C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.
Platform-specific debug settings
You can automate these compilation settings by using the Veracode Visual Studio Extension.
Ensure that you compile the binary files with these settings:
-
Project Properties > Configuration Properties > C/C++ > General
Set Debug Information Format to Program Database using the
/Zioption. -
Project Properties > Configuration Properties > C/C++ > Optimization
When possible, set Optimization to Disabled using the
/Odoption. -
Project Properties > Configuration Properties > C/C++ > Code Generation
- Set Basic Runtime Checks to Default. On the command line, ensure that
/RTCis not set. - Set Runtime Library to Multi-threaded Debug or Multi-threaded Debug DLL using the
/MTd,/MDd, or/LDdoptions. - Set Buffer Security Check to No using the
/GS-option.
- Set Basic Runtime Checks to Default. On the command line, ensure that
-
Project Properties > Configuration Properties > Linker > General
Set Enable Incremental Linking to No using the
/INCREMENTAL:NOoptions. -
Project Properties > Configuration Properties > Linker > Debugging
Choose Generate Debug Information optimized for sharing and publishing using the
/DEBUG:FULLoption. -
Retain the generated PDB file. It is a required dependency.
Building and linking applications using the command line
If you are building a Visual C++ application from the command line, Veracode requires that the /Zi, /Od and /GS- flags are set, the /RTC flag is not set, and a debug run-time library is selected, if you are explicitly specifying the /M or /L option. For example, {{ /MDd, /MLd, /MTd, /LDd}} when you compile. You must set the /INCREMENTAL:NO and /DEBUG flags when linking the application.
This example shows the command-line flags required to build an application for Veracode analysis.
cl.exe /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL
Optimized code
Although Veracode can analyze some Windows C/C++ binaries compiled with optimization, there could be some reduction of results quality. Specifically, Veracode strongly recommends these settings to analyze Windows binaries compiled with optimization:
- MSVC7: analysis of optimized binaries built with MSVC 7 and earlier is unsupported
- MSVC8: disable Frame Pointer Omission optimization with the
/Oy-command-line flag - MSVC9: no specific issues
C/C++ Windows application profile
- You must package applications as EXE, DLL, or ZIP files.
- Debug symbols are mandatory for main executables. Veracode strongly recommends that you also provide debug symbols for dependent libraries, when possible, to achieve higher-quality scan results.
- Failure to upload debug symbols for Windows C/C++ applications prevents the scan from proceeding.
- Failure to upload dependencies for Windows C/C++ applications results in a warning during prescan.