ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Example Responses to False Positives in Checkmarx Scan Results

The following example shows how to document your responses to false positives resulting from a Checkmarx scan. The example is in tabular format, but you can use whatever format suits the reporting of your information.
Reported Vulnerability Location Response
FLS Update Paths 1–17 We implemented and called the AuthManager class to check these paths for us or throw an error. You can see that in ControllerFile.cls on lines 241, 245, and 249.
FLS Update Paths 18–24 Have been fixed and are valid.
FLS Update Paths 25, 26, and 30 Are against our custom object UsageLog__c and not intended for user consumption. They are never exposed to users directly.
FLS Update Paths 27–29 Must update the Account.NumberRelatedIssues__c field to appropriately count the new object created, irrespective of user input.
Sharing Violation BatchCleanData.cls We minimized the functions that this class calls to only the minimum set that requires without sharing.
Sharing Violation LightningController.cls Changed declaration to with sharing.
Sharing Violation GlobalIssueReporting.cls Changed to useinherited sharing because we don't know which context our calling class requires.
Stored XSS Issue.page file: paths 1–3 reportIssueList is a list of objectID + ' ' + integers. It poses no XSS risk.
Stored XSS Issue.page file: path 4 Fixed by removing escape=”false”.
Stored XSS Issue.page We sanitized usageLog in JavaScript using the Salesforce SecureFilters library.