Scan package preparation

You can include multiple JAR or WAR files in a ZIP package. Place these files at the root directory of the ZIP package, not in subdirectories.

The maximum uncompressed size of your code artifact must not exceed 1GB.

When preparing your ZIP file for uploading to Contrast, either with the CLI or the Contrast web interface, ensure the uncompressed data is no larger than 1 GB. Contrast Scan might reject uncompressed files that are larger than 1 GB. In that case, you need to split the files into multiple projects for successful scans.

Using a consistent file structure for each scan is crucial to preventing duplicate vulnerability findings. After an initial scan, if you need to change the file structure for the files you are scanning, create a new scan project for those files instead of using an existing one. If you are planning to scan multiple branches without using the Contrast Scan Analyze GitHub action, create a separate scan project for your personal branch.

If you use an existing scan project, change the file structure, and then run a scan, Contrast sets the original vulnerability status to Remediated and reports a new, duplicate vulnerability. The new finding is linked to the same file and line number but shows the new path.

Consistent file structure affects files in ZIP files and files not in a ZIP file.

Example 1: Changing ZIP file name

In this example, we rename a ZIP file but maintain the file structure in the ZIP file. This change doesn't result in Contrast reporting duplicate vulnerabilities:

scan.zip
   |
   |-- source_files
  
changed to
  
contrastscan.zip
      |
      |-- source_files

In this case, the ZIP file name isn't part of the scan path, so changing it has no affect on the scan findings.

Example 2: Changing file structure in a ZIP file

In this example, we rename the ZIP file and also change the file structure by adding a new directory. This change causes Contrast to report duplicate vulnerabilities.

scan.zip
   |
   |-- source_files
  
changed to
  
contrastscan.zip
      |
      |-- contrastscan
              |
              |-- source files

In this case, changing the file structure within the ZIP file causes duplicate findings. To avoid this issue, create a new scan project and use it for future scans.

Example 3: Changing file structure in directories

In this example, we change the file structure by adding a new directory. This change causes Contrast to report duplicate vulnerabilities.

scan
   |
   |-- source_files
  
changed to
  
contrastscan
      |
      |-- contrastscan
              |
              |-- source files

In this case, changing the directory name and the file structure within the directory causes duplicate findings. To avoid this issue, create a new scan project and use it for future scans.

If you package your files differently than suggested here, Scan has to make assumptions about your code. The results might not be as precise as they could be. They could include false negatives and positives.

When Scan has access to all the appropriate class files and dependencies, the results do not include phantom classes. A phantom class is a referenced class but either scan is unable to find bytecode for it or the scan was unable to decompile the code into intermediate representation (IR).

To be able to deliver accurate results, Scan needs to understand the web framework that your application uses.

Thin JAR files contain only application byte code. These files require special execution loaders to dynamically access dependencies for loading. If you upload a thin JAR file, Scan does not execute any of your application code. It cannot access the application dependencies for accurate scanning.