Veracode fails to pre scan spring boot version > 2.5.9 executables - in our case, spring boot version is 2.6.4. Veracode fails pre scan and module(s) cannot be selected.
These error messages are displayed on the Veracode Select Modules screen:
Corrupt Header - 1 File
Support Issue: Fatal - 1 File
Support Issue (fatal):
We consulted with Veracode on July 6, they indicted this is a spring boot issue and suggested we open an issue here. Veracode has had a significant number of support call in the past month or so regarding this issue. It is a known, common issue with Veracode customers Veracode states a script is added in the exec, and when the script gets removed, the length of the artifact is not properly adjusted (the executable byte length). It effectively makes the artifact corrupt for Veracode scanning.
Is this a known spring boot issue, if so, when will it be fixed?
Comment From: wilkinsona
Please use version 2.5.9 (or earlier)
This advice is concerning. Spring Boot 2.5.x reached the end of its OSS support period on 19 May 2022.
Veracode states a script is added in the exec
Perhaps they're referring to this change
and when the script gets removed, the length of the artifact is not properly adjusted (the executable byte length)
Once added, Spring Boot never removes the script. If something else is removing it, it will have to update the entry offsets to account for the change.
Is this a known spring boot issue
This isn't a known issue. If you would like us to investigate further, please provide a complete yet minimal sample that reproduces the problem.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.