ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Security Review
Required Materials for Security Review Submission
Security Review Steps
Security Review Wizard
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Solution on AppExchange
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Example Responses to False Positives in a Security Review Failure Report

This example shows how to document your responses to false positives listed in a Salesforce security review failure report. It’s written to support a retest submission.
Reported Vulnerability Location Response
Insecure Software Version jQueries Updated
Insecure Software Version moment.js No user input flows into moment parsing. User input flows only to Salesforce Date fields.
Insecure Storage of Sensitive Data UserConfig_c.object The apiKey__c field is encrypted before setting with the encryption key, which is stored in a protected custom setting.
Insecure Storage of Sensitive Data IssueInvite_c.object The password__c field is a support-agent selected password to share resources publicly with the internet. It’s not a user-owned secret.
Insecure Storage of Sensitive Data APIManagement_c.object We deprecated this custom setting, but it’s impossible to delete custom setting definitions from managed packages.
Insecure Storage of Sensitive Data AuthManager.cls The credentials in comments are only example credentials. They do not authenticate to any development or production system.
Stored XSS https://content.salesforce-partner.com We spoke to Jane Doe at Salesforce during our office hours on Feb. 1, 2019, to explain this URL, which is linked to a nonsensitive content domain. The URL has no session data to access back-end information. We were told that this finding could be a false positive.