ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Pass the AppExchange Security Review
Prepare for the AppExchange Security Review
How the AppExchange Security Review Works
Required Materials for Security Review Submission
Listing Readiness for Managed Packages
Check If Your Package Version Is Ready to List on AppExchange
Partner Security Portal
Test Your Entire Solution
Scan Your Managed Package with Salesforce Code Analyzer
False Positives
Document Your Responses to False Positives
Example Responses to False Positives in Checkmarx Scan Results
Example Responses to False Positives in a Security Review Failure Report
The AppExchange Security Review Wizard
Security Review Resources
Manage Your Security Reviews
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Example Responses to False Positives in Checkmarx Scan Results

The following example shows how to document your responses to false positives resulting from a Checkmarx scan. The example is in tabular format, but you can use whatever format suits the reporting of your information.
Reported Vulnerability Location Response
FLS Update Paths 1–17 We implemented and called the AuthManager class to check these paths for us or throw an error. You can see that in ControllerFile.cls on lines 241, 245, and 249.
FLS Update Paths 18–24 Have been fixed and are valid.
FLS Update Paths 25, 26, and 30 Are against our custom object UsageLog__c and not intended for user consumption. They are never exposed to users directly.
FLS Update Paths 27–29 Must update the Account.NumberRelatedIssues__c field to appropriately count the new object created, irrespective of user input.
Sharing Violation BatchCleanData.cls We minimized the functions that this class calls to only the minimum set that requires without sharing.
Sharing Violation LightningController.cls Changed declaration to with sharing.
Sharing Violation GlobalIssueReporting.cls Changed to useinherited sharing because we don't know which context our calling class requires.
Stored XSS Issue.page file: paths 1–3 reportIssueList is a list of objectID + ' ' + integers. It poses no XSS risk.
Stored XSS Issue.page file: path 4 Fixed by removing escape=”false”.
Stored XSS Issue.page We sanitized usageLog in JavaScript using the Salesforce SecureFilters library.