ISVforce Guide
jNewer Version Available
Document Your Responses to False Positives
You can use any format to document a false-positive response. For each flagged issue, include:
- Location—State the code location of the reported vulnerability.
- Explanation—Explain why the flagged code doesn’t pose a vulnerability.
In addition to providing rationales for false positives, include in your documentation explanations to clarify special use cases, circumstances, or exceptions.
Some categories of security scan results are false positives that don't require documentation or code reworking. These categories exist in most, but not all, security scanners that we accept for security review. Other scan results fall into severity categories that require attention. These flagged issues require your attention because they highlight known security vulnerabilities. If you can’t submit justifiable false positive documentation, rework the flagged code lines to meet security standards.
| Scanner | Scan Results Requiring Attention for Security Review | Scan Results Not Requiring Attention |
|---|---|---|
| Checkmarx (Force.com source code scanner) | All issues regardless of severity level, except for issues labeled “Code Quality” | Issues labeled “Code Quality” don’t require code reworking or a false positive explanation. |
| ZAP and Burp Suite | Issues categorized as high severity | Action on low and medium severity issues isn’t required, but investigation into whether they pose a security threat is encouraged. |
| Chimera | All issues regardless of severity level, except for issues labeled “Informational/Other” | Issues with a risk level of “Informational/Other” don’t require code reworking or a false positive explanation. |