ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Quick Start Tutorials: Become a Partner and Build a Simple AppExchange Solution
Design and Build Your AppExchange Solution
Package and Test Your AppExchange Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Managing Licenses for Managed Packages
License Your AppExchange Solution
Provide a Free Trial of Your AppExchange Solution
Update Your AppExchange Solution
User License Guides for Salesforce Partners
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Example Responses to False Positives in a Security Review Failure Report

The following example shows how to document your responses to false positives listed in a Salesforce security review failure report. It’s written to support a retest submission.
Reported Vulnerability Location Response
Insecure Software Version jQueries Updated.
Insecure Software Version moment.js No user input flows into moment parsing. User input flows only to Salesforce Date fields.
Insecure Storage of Sensitive Data UserConfig_c.object The apiKey__c field is encrypted before setting with the encryption key, which is stored in a protected custom setting.
Insecure Storage of Sensitive Data IssueInvite_c.object The password__c field is a support-agent selected password to share resources publicly with the internet. It’s not a user-owned secret.
Insecure Storage of Sensitive Data APIManagement_c.object We deprecated this custom setting, but it’s impossible to delete custom setting definitions from managed packages.
Insecure Storage of Sensitive Data AuthManager.cls The credentials in comments are only example credentials. They do not authenticate to any development or production system.
Stored XSS https://content.saslesforce.partner.com We spoke to Jane Doe at Salesforce during office hours on Feb. 1, 2020. This URL is linked to a nonsensitive content domain. The URL has no session data to access back-end information. We were told that this finding could be a false positive.