C/C++ on Linux packaging
Your C/C++ applications must meet specific compilation requirements before you can submit them for scanning.
Required files
Veracode requires all binary executables, all required libraries, and the complete debug information for the application.
Supported C/C++ on Linux platforms and compiler versions
Platform and architecture | Version | GCC compilers |
---|---|---|
CentOS and Red Hat Enterprise Linux (x64) | 8 | 12, 11, 10, 9, 8 |
7 | 8.3, 7.3, 6.3, 5.3, 4.9, 4.8 | |
6 | 7.3, 6.3, 5.3, 4.9, 4.8, 4.4 | |
5 | 4.9, 4.8, 4.7, 4.1 | |
CentOS and Red Hat Enterprise Linux (x86) | 5 | 4.9, 4.8, 4.2, 4.1 |
4 | 4.2, 4.1, 4.0, 3.4, 3.3 | |
3 | 3.2 | |
openSUSE (x86) | 10 | 4.1, 4.5, 4.8, 4.9 |
openSUSE (x64) | 11 | 4.9, 4.8, 4.5 |
openSUSE (x86) | 11 | 4.9, 4.8, 4.5 |
Supported architectures
Veracode supports analyzing C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.
Platform-specific debug settings
Ensure that you compile the binary files with debug settings. Compile code with these options:
-gdwarf-2 -g3 -O0 -fno-builtin
Do not compile code with any of these options:
-O
-mflat
-mno-faster-structs
-mimpure-text
-mcpu={ultrasparc or ultrasparc3}
-mtune={ultrasparc or ultrasparc3}
-mlittle-endian
-mcmodel
-mstack-bias
-p, -pg, -fprofile-<any>
(Optional) Hide symbols on executables
Veracode Static Analysis treats each Linux binary as a library and marks each method potentially exposed to user input, or 'dllexported'. This may lead to unrealistic flaws. To reduce these flaws and help Veracode Static Analysis determine that the application only uses the 'main' method directly, add this option to the executables you do not use as a library:
-Wl,--version-script=veracode.expmap
Then, create a veracode.expmap
that contains this line:
{global:main;local:*;};
Packaging guidance
- You must package applications as EXE, TAR, TAR.GZ, TGZ, or SO files.
- Dwarf debug symbols are mandatory for main executables. Failure to upload debug symbols for Linux C/C++ applications prevents the scan from proceeding.
- Failure to upload dependencies for Linux C/C++ applications results in a warning during prescan.
Compatibility notes
- GCC 4.4 is only supported on:
- 64-bit RedHat Enterprise Linux 5 and 6
- 32-bit and 64-bit openSUSE 11
- GCC 6 and 7 are only supported on 64-bit operating systems.
- You must package applications as a TAR file (extensions of TAR, TAR.GZ, TGZ), ZIP file, or submit individual native binaries with the SO extension.