Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

Veracode when using QT?



  • Hey guys,

    the veracode.com to check all platforms and languages, which is worldwide used to scan the app for any security vulnerabilities, for windows c++ applications it has unfortunatelly quite dificult requirements:
    https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/buYskUiDRTdtZy6kSkof2Q

    do you thing these requirements can be met from QT creator?



  • At the end i found the solution is very simple.

    Basically for every supplied exe or dll file it requires pdb file.
    Unfortunatelly urrect 5.13.x version doesnt have it unless i dont want to compile all qt with that.
    But if I use mainstenancetool.exe then for version 5.12.x it is available under Qt Debug Information Files, then all pdb files are in dir 5.12.x/msvc2017/bin.
    as per pdb file for my exe file, i just added into .pro file:

    QMAKE_CXXFLAGS += -Zi
    QMAKE_CXXFLAGS += /GS-
    QMAKE_LFLAGS += /INCREMENTAL:NO
    QMAKE_LFLAGS += /DEBUG:FULL
    

    and when recompiled, the pdb file for the app was created.

    Also, important info regarding veracode requirements was that it needs msvc compiler instead of MinGW, so had to use it too (but also when I initialy tried with MinGW it also somehow worked too, mabye someine in the future will have luck with this compiler too).

    Also for the future googlers, the veracode is works with all exe+dll files what you supply, if you decide not to supply any importand dll, then it scans only what you supply regardles the dll is realy needed. Because I was not able to find on internet my custom mysql connector dll (libmysql.dll and its pdb file)

    Hope this helps for whomever it will google this issue in the future.


  • Lifetime Qt Champion

    Hi,

    From the looks of it, it's nothing Qt Creator is responsible for.

    You would likely create a custom mkspec to ensure that you have the flags needed as well as not the ones that are forbidden.

    This will likely require a custom build of Qt.



  • At the end i found the solution is very simple.

    Basically for every supplied exe or dll file it requires pdb file.
    Unfortunatelly urrect 5.13.x version doesnt have it unless i dont want to compile all qt with that.
    But if I use mainstenancetool.exe then for version 5.12.x it is available under Qt Debug Information Files, then all pdb files are in dir 5.12.x/msvc2017/bin.
    as per pdb file for my exe file, i just added into .pro file:

    QMAKE_CXXFLAGS += -Zi
    QMAKE_CXXFLAGS += /GS-
    QMAKE_LFLAGS += /INCREMENTAL:NO
    QMAKE_LFLAGS += /DEBUG:FULL
    

    and when recompiled, the pdb file for the app was created.

    Also, important info regarding veracode requirements was that it needs msvc compiler instead of MinGW, so had to use it too (but also when I initialy tried with MinGW it also somehow worked too, mabye someine in the future will have luck with this compiler too).

    Also for the future googlers, the veracode is works with all exe+dll files what you supply, if you decide not to supply any importand dll, then it scans only what you supply regardles the dll is realy needed. Because I was not able to find on internet my custom mysql connector dll (libmysql.dll and its pdb file)

    Hope this helps for whomever it will google this issue in the future.


Log in to reply