ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Security Review
Required Materials for Security Review Submission
Security Review Steps
Security Review Wizard
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

False Positives

As you navigate the AppExchange security review process, you're likely to encounter false positive issues with your solution. A false positive occurs when a security-scanning tool or code reviewer flags code lines that appear to pose a security vulnerability but actually don’t. Instead, the flagged vulnerability is nonexistent, nonexploitable, or not required to support a valid use case or functionality.

Improve your likelihood of passing an initial or follow-up security review by addressing false positives in your submission. Include with your submitted solution a document that explains why each flagged security vulnerability that is a false positive doesn’t pose a threat.