C/C++ on Windows packaging
Your C/C++ applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
Required files
Veracode requires all binary executables, all required libraries, and the complete debug information for the application.
Supported C/C++ on Windows platforms and compiler versions
| Language | Platform | Version | Compiler |
|---|---|---|---|
| C/C++ (32-bit/64-bit) | Windows | Windows Desktop Environments:
|
|
Supported architectures
Veracode supports analyzing Windows C/C++ code compiled for the Intel IA32 and X86_64 architectures. Veracode does not currently support analyzing Windows C/C++ code compiled for Itanium (IA64), Alpha, MIPS, PowerPC, ARM, or other microarchitectures.
Platform-specific debug settings
You can automate these compilation settings by using the Veracode Visual Studio Extension.
Ensure that you compile the binary files with these settings:
-
Project Properties > Configuration Properties > C/C++ > General
Set Debug Information Format to Program Database using the
/Zioption. -
Project Properties > Configuration Properties > C/C++ > Optimization
When possible, set Optimization to Disabled using the
/Odoption. -
Project Properties > Configuration Properties > C/C++ > Code Generation
- Set Basic Runtime Checks to Default. On the command line, ensure that
/RTCis not set. - Set Runtime Library to Multi-threaded Debug or Multi-threaded Debug DLL using the
/MTd,/MDd, or/LDdoptions. - Set Buffer Security Check to No using the
/GS-option.
- Set Basic Runtime Checks to Default. On the command line, ensure that
-
Project Properties > Configuration Properties > Linker > General
Set Enable Incremental Linking to No using the
/INCREMENTAL:NOoptions. -
Project Properties > Configuration Properties > Linker > Debugging
Choose Generate Debug Information optimized for sharing and publishing using the
/DEBUG:FULLoption. -
Retain the generated PDB file. It is a required dependency.
Building and linking applications using the command line
If you are building a Visual C++ application from the command line, Veracode requires that the /Zi, /Od and /GS- flags are set, the /RTC flag is not set, and a debug run-time library is selected, if you are explicitly specifying the /M or /L option. For example, {{ /MDd, /MLd, /MTd, /LDd}} when you compile. You must set the /INCREMENTAL:NO and /DEBUG flags when linking the application.
This example shows the command-line flags required to build an application for Veracode analysis.
cl.exe /Zi /Od /GS- /MTd /link /INCREMENTAL:NO /DEBUG:FULL
Optimized code
Although Veracode can analyze some Windows C/C++ binaries compiled with optimization, there could be some reduction of results quality. Specifically, Veracode strongly recommends these settings to analyze Windows binaries compiled with optimization:
- MSVC7: analysis of optimized binaries built with MSVC 7 and earlier is unsupported
- MSVC8: disable Frame Pointer Omission optimization with the
/Oy-command-line flag - MSVC9: no specific issues
C/C++ Windows application profile
- You must package applications as EXE, DLL, or ZIP files.
- Debug symbols are mandatory for main executables. Veracode strongly recommends that you also provide debug symbols for dependent libraries, when possible, to achieve higher-quality scan results.
- Failure to upload debug symbols for Windows C/C++ applications prevents the scan from proceeding.
- Failure to upload dependencies for Windows C/C++ applications results in a warning during prescan.