Newer Version Available

This content describes an older version of this product. View Latest

Document Your Responses to False Positives

Most often, false positives appear in Checkmarx, Chimera, ZAP, or Burp Suite scanner results. False positives also occasionally show up in Salesforce security review failure reports. In either case, you can improve your likelihood of passing security review by including a false-positive explanatory document when you submit your code.

You can use any format to document a false-positive response. For each flagged issue, include:

  • Location—State the code location of the reported vulnerability.
  • Explanation—Explain why the flagged code doesn’t pose a vulnerability.

In addition to providing rationales for false positives, include in your documentation explanations to clarify special use cases, circumstances, or exceptions.

Some categories of security scan results are false positives that don't require documentation or code reworking. These categories exist in most, but not all, security scanners that we accept for security review. Other scan results fall into severity categories that require attention. These flagged issues require your attention because they highlight known security vulnerabilities. If you can’t submit justifiable false positive documentation, rework the flagged code lines to meet security standards.

Scanner Scan Results Requiring Attention for Security Review Scan Results Not Requiring Attention
Checkmarx (Force.com source code scanner) All issues regardless of severity level, except for issues labeled “Code Quality” Issues labeled “Code Quality” don’t require code reworking or a false positive explanation.
ZAP and Burp Suite Issues categorized as high severity Action on low and medium severity issues isn’t required, but investigation into whether they pose a security threat is encouraged.
Chimera All issues regardless of severity level, except for issues labeled “Informational/Other” Issues with a risk level of “Informational/Other” don’t require code reworking or a false positive explanation.