ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Quick Start Tutorials: Become a Partner and Build a Simple AppExchange Solution
Design and Build Your AppExchange Solution
Package and Test Your AppExchange Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Managing Licenses for Managed Packages
License Your AppExchange Solution
Provide a Free Trial of Your AppExchange Solution
Update Your AppExchange Solution
User License Guides for Salesforce Partners
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Document Your Responses to False Positives

Most often, false positives appear in Source Code Scanner (Checkmarx), Chimera, ZAP, or Burp Suite scanner results. False positives occasionally show up in Salesforce security review failure reports. In either case, you can improve your likelihood of passing security review by including a false-positive explanatory document when you submit your code.

You can use any format to document a false-positive response. For each flagged issue, include:

  • Location—State the code location of the reported vulnerability.
  • Explanation—Explain why the flagged code doesn’t pose a vulnerability.

In addition to providing rationales for false positives, include in your documentation explanations that clarify special use cases, circumstances, or exceptions.

Some categories of security scan results are false positives that don't require documentation or code reworking. These categories exist in most of the security scanners that we accept for security review. Other scan results fall into severity categories that require attention because they highlight known security vulnerabilities. If you can’t submit justifiable false positive documentation, rework the flagged code to meet security standards.

Scanner Scan Results Requiring Attention for Security Review Scan Results Not Requiring Attention
Source Code Scanner (Checkmarx) All issues regardless of severity level that aren’t labeled “Code Quality” Issues labeled “Code Quality”
ZAP and Burp Suite Issues categorized as high severity Action on low and medium severity issues isn’t required, but investigation into whether they pose a security threat is encouraged.
Chimera All issues regardless of severity level that aren’t labeled “Informational/Other” Issues labeled “Informational/Other”