During a static scan, you may receive warning or error messages about the uploaded files. Use the tips from Veracode to resolve these warnings or errors.
Identifying Errors and Warnings
If the prescan operation identifies problems in your application modules, or determined that the application does not contain problems, the Application page shows the following messages in the Status column.
: Prescan identified one or more problems that prevent Veracode from proceeding with the scan.
: Prescan identified one or more problems that might degrade the quality of the scan results, but do not prevent Veracode from proceeding with the scan.
: Prescan did not identify any problems and Veracode can proceed with the scan.
The module appears to have corrupt headers, and may have been modified after compilation. Try to recompile the module.
The module is built with a platform, such as a compiler, that Veracode does not actively support. Results from the analysis of this module are not as accurate as results produced from supported platforms. Attempting to analyze this module may cause the analysis to fail. If it is a primary module, try to recompile the module for a supported platform. For example, a primary module may be an executable rather than a supporting library.
Incrementally Linked Libraries
The module is built with incremental linking turned on. In some cases, this condition can impair the quality of the analysis and increase scan times. If possible, try to recompile the module without incremental linking.
JSP Compilation Errors
Veracode cannot analyze JSP files that cannot be compiled. If you receive this message, verify that you include all files and classes on which the JSP files depend. Upload any missing files and classes.
Java compilation instructions provide additional guidance regarding JSP files.
Missing Debug Information
If Veracode shows any modules as missing debug information, in red, you must recompile the associated binaries according to the Veracode Packaging Requirements and upload them again. Veracode does not require debug information for every language. However, failing to include debug information may result in lower quality findings and increased scan times. Veracode also requires debug information to report the source file and line number for findings.
Missing Entry Point
For a successful static scan, each application or executable module needs a starting point. For a C application, this entry point might be a
main() function and for a web application, it might be one or more JSP or ASPX pages.
No Precompiled Files Located
To analyze ASP.NET applications, Veracode requires you to precompile the dynamically generated pages, which are typically prepared at runtime by the application server. If you do not submit precompiled forms, the scan may produce incomplete or incorrect results. For more information, refer to Packaging ASP.NET Web Applications.
Veracode recommends that you use Veracode Static for Visual Studio to prepare your .NET application for uploading to Veracode.
Obfuscated or Optimized Code
Veracode cannot analyze code compiled with optimizations, or code that has been obfuscated. Recompile the binaries without optimizations or obfuscation and resubmit.
Supporting Files Missing
Carefully review the list of missing files shown as Not Found. Ensure that none of the files you want to analyze are missing. If you identify any missing supporting files, click Add Files and add the libraries containing the dependencies.
For C/C++ applications, supporting files are required. If you do not upload the supporting files for a module, you cannot scan that module.
Unsupported Architecture, Platform, or Compiler
If any modules show an Unsupported Architecture, Platform, or Compiler message, in red, Veracode cannot analyze these modules. If you see this message, review the list of supported platforms and compilers. If possible, try to recompile the binaries with a supported compiler or platform. For example, for a Linux binary, try compiling on a Red Hat platform. For a 64-bit Windows binary, try compiling for 32-bit.
Unsupported Frameworks (Non-Blocking)
This message is informational only, which means that your scan proceeds even if your scan request is for an application that has one or more unsupported frameworks. After the scan of an unsupported framework, Veracode typically produces an incomplete list of the findings in the application. These findings are valid, but because the use of the unsupported frameworks can prevent Veracode from creating a complete model of the application before scanning, parts of the application were not scanned, which leads to an incomplete findings list.
Veracode detected an issue with the submission that may impact results quality or scan performance. Expand the module details for more information about the specific issue. Veracode detects these common support issues:
Mismatched PDB files
Veracode could not load the debug information included for this module as they are not artifacts of the same compilation as the matching binary. Include the debug files you generated at the same time as the binary. You may need to perform a clean rebuild of the application.
The source files indicated by this warning may contain syntax errors that prevent Veracode from analyzing them. Review the code to ensure it is syntactically correct for the language, that it is a supported dialect. Ensure that you include any required dependencies in the submission. Veracode cannot scan files with parse failures. Veracode excludes these files from analysis if you choose to proceed.
Uploaded Source Code Without Binaries
The submission contains source code files, but no corresponding compiled binary. Veracode analyzes compiled binary executables, rather than source code. For specific formatting instructions, refer to the Veracode Packaging Requirements.
If you are uploading a Java web archive (WAR) for analysis, you may receive one of several messages regarding a missing, empty, or incorrect
WEB-INF/web.xml filepath. As detailed in the packaging guidance for WAR, EAR, and JAR files in the Java compilation instructions, the WAR must contain a valid XML deployment descriptor. Review the instructions and resubmit with a correct