Scan package preparation
To get the best results from a scan, consider these best practices before you upload packages.
Artifact types
For Java, upload either a WAR or JAR package.
For JavaScript, upload either a JS or ZIP package.
You can include multiple JAR files in a ZIP package. The maximum upload size limit for a ZIP file is 1 GB.
Access to class files and dependencies
If you package your files differently than suggested here, Scan has to make assumptions about your code. The results might not be as precise as they could be. They could include false negatives and positives.
When Scan has access to all the appropriate class files and dependencies, the results do not include phantom classes. A phantom class is a referenced class but either scan is unable to find bytecode for it or the scan was unable to decompile the code into intermediate representation (IR).
Scan needs access to these files:
Application class files
Application dependency jar or class files
Organize application and dependencies in WAR files as described in the Oracle Java™ Servlet Specification.
Organize applications and dependencies in JAR files similar to the way SpringBoot JAR files are organized.
SpringBoot JAR files place applications and dependencies in well-known areas.
Including standard JDK files and common servlet container-provided dependencies are not required. Scan provides these dependencies for you.
Frameworks
To be able to deliver accurate results, Scan needs to understand the web framework that your application uses.
Source code scans: This scan type supports all frameworks for the supported languages.
Java binary scans: This scan type supports these frameworks:
Angular 8 or later
J2EE
Jakarta EE 2.0-3.0
jQuery
React 16 or later
SpringBoot
Spring MVC
Vue.JS 2 or later
Avoid use of thin JAR files
Thin JAR files contain only application byte code. These files require special execution loaders to dynamically access dependencies for loading. If you upload a thin JAR file, Scan does not execute any of your application code. It cannot access the application dependencies for accurate scanning.