Scan package preparation
To get the best results from a scan, consider these best practices before you upload packages.
Note
This topic applies to the use of hosted scans, where you upload files to Contrast. Package preparation for local scans describes the best practices for the Scan local engine.
Artifact types
For Java binary scans, upload either a WAR or JAR package.
For source code scans, upload a ZIP package that contains the repository you want to scan.
You can include multiple JAR or WAR files in a ZIP package. Place these files at the root directory of the ZIP package, not in subdirectories.
The maximum uncompressed size of your code artifact must not exceed 1GB.
When preparing your ZIP file for uploading to Contrast, either with the CLI or the Contrast web interface, ensure the uncompressed data is no larger than 1 GB. Contrast Scan might reject uncompressed files that are larger than 1 GB. In that case, you need to split the files into multiple projects for successful scans.
Use a consistent file structure
Using a consistent file structure for each scan is crucial to preventing duplicate vulnerability findings. After an initial scan, if you need to change the file structure for the files you are scanning, create a new scan project for those files instead of using an existing one. If you are planning to scan multiple branches without using the Contrast Scan Analyze GitHub action, create a separate scan project for your personal branch.
If you use an existing scan project, change the file structure, and then run a scan, Contrast sets the original vulnerability status to Remediated and reports a new, duplicate vulnerability. The new finding is linked to the same file and line number but shows the new path.
Consistent file structure affects files in ZIP files and files not in a ZIP file.
Example 1: Changing ZIP file name
In this example, we rename a ZIP file but maintain the file structure in the ZIP file. This change doesn't result in Contrast reporting duplicate vulnerabilities:
scan.zip | |-- source_files changed to contrastscan.zip | |-- source_files
In this case, the ZIP file name isn't part of the scan path, so changing it has no affect on the scan findings.
Example 2: Changing file structure in a ZIP file
In this example, we rename the ZIP file and also change the file structure by adding a new directory. This change causes Contrast to report duplicate vulnerabilities.
scan.zip | |-- source_files changed to contrastscan.zip | |-- contrastscan | |-- source files
In this case, changing the file structure within the ZIP file causes duplicate findings. To avoid this issue, create a new scan project and use it for future scans.
Example 3: Changing file structure in directories
In this example, we change the file structure by adding a new directory. This change causes Contrast to report duplicate vulnerabilities.
scan | |-- source_files changed to contrastscan | |-- contrastscan | |-- source files
In this case, changing the directory name and the file structure within the directory causes duplicate findings. To avoid this issue, create a new scan project and use it for future scans.
Access to class files and dependencies
If you package your files differently than suggested here, Scan has to make assumptions about your code. The results might not be as precise as they could be. They could include false negatives and positives.
When Scan has access to all the appropriate class files and dependencies, the results do not include phantom classes. A phantom class is a referenced class but either scan is unable to find bytecode for it or the scan was unable to decompile the code into intermediate representation (IR).
Scan needs access to these files:
Application class files
Application dependency jar or class files
Organize application and dependencies in WAR files as described in the Oracle Java™ Servlet Specification.
Organize applications and dependencies in JAR files similar to the way SpringBoot JAR files are organized.
SpringBoot JAR files place applications and dependencies in well-known areas.
Including standard JDK files and common servlet container-provided dependencies are not required. Scan provides these dependencies for you.
Frameworks
To be able to deliver accurate results, Scan needs to understand the web framework that your application uses.
Source code scans: This scan type supports all frameworks for the supported languages.
Java binary scans: This scan type supports these frameworks:
Angular 8 or later
J2EE
Jakarta EE 2.0-3.0
jQuery
React 16 or later
SpringBoot
Spring MVC
Vue.JS 2 or later
Avoid use of thin JAR files
Thin JAR files contain only application byte code. These files require special execution loaders to dynamically access dependencies for loading. If you upload a thin JAR file, Scan does not execute any of your application code. It cannot access the application dependencies for accurate scanning.