FAQ-000346 - Code Quality vs Security Vulnerabilities / Code Quality vs Security Review Requirements

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
Are code quality issues required to be fixed for security review approval, and what resources are available for understanding and resolving them?
Answer
Code quality issues are not explicitly required to be fixed for security review approval. However, all security vulnerabilities identified during the review must be addressed. Fixing code quality issues is recommended, as they can often lead to security vulnerabilities, and any flagged issues that are false positives should be documented appropriately. To understand and resolve Code Quality category issues in the AppExchange Security Review, you can use the following resources: 1. **Salesforce Code Analyzer**: Supports multiple engines like PMD, ESLint, RetireJS, and Salesforce Graph Engine to identify code quality issues, including CRUD/FLS violations. 2. **Source Code Scanner (Checkmarx)**: Available on the Partner Security Portal, it helps identify security vulnerabilities in your solution. 3. **Manual Testing**: Perform manual testing alongside automated scans to catch issues that automated tools might miss. 4. **Technical Office Hours**: Schedule appointments with Product Security engineers through the Partner Security Portal for guidance on resolving code quality issues. 5. **Documentation of False Positives**: Document any false positives identified during scans and submit them for review. 6. **Security Review Wizard**: Use this tool in the AppExchange Partner Console to track submission progress, review feedback, and communicate with the security review team. These resources provide a comprehensive approach to effectively addressing code quality issues.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolations
Question
Are code quality issues required to be fixed for security review approval, and what resources are available for understanding and resolving them?
Recommended Answer Update
Code quality issues are not explicitly required to be fixed for security review approval. However, all security vulnerabilities identified during the review must be addressed. Fixing code quality issues is recommended, as they can often lead to security vulnerabilities, and any flagged issues that are false positives should be documented appropriately. To understand and resolve Code Quality category issues in the AppExchange Security Review, you can use the following resources: 1. **Salesforce Code Analyzer**: Supports multiple engines like PMD, ESLint, RetireJS, and Salesforce Graph Engine to identify code quality issues, including CRUD/FLS violations. 2. **Source Code Scanner (Checkmarx)**: Available on the Partner Security Portal, it helps identify security vulnerabilities in your solution. 3. **Manual Testing**: Perform manual testing alongside automated scans to catch issues that automated tools might miss. 4. **Technical Office Hours**: Schedule appointments with Product Security engineers through the Partner Security Portal for guidance on resolving code quality issues. 5. **Documentation of False Positives**: Document any false positives identified during scans and submit them for review. 6. **Security Review Wizard**: Use this tool in the AppExchange Partner Console to track submission progress, review feedback, and communicate with the security review team. These resources provide a comprehensive approach to effectively addressing code quality issues.
Reasoning
The FAQ content is accurate and well-structured, clearly distinguishing between code quality issues and security vulnerabilities. The content already covers the key points comprehensively without needing significant revision. The answer maintains appropriate length and detail for the FAQ format. For security rule associations: **ApexCRUDViolation**: This rule is directly relevant because the FAQ discusses "CRUD/FLS violations" as one of the code quality issues that the Salesforce Code Analyzer identifies. The FAQ explains how developers can use tools to identify and resolve these violations, which aligns with this rule's purpose of detecting improper CRUD (Create, Read, Update, Delete) permission handling in Apex code. **ApexSharingViolations**: This rule relates to the broader security context mentioned in the FAQ. While not explicitly named, sharing violations are another category of security issues that developers encounter during AppExchange security review, and the resources mentioned (particularly the Salesforce Code Analyzer and Technical Office Hours) help identify and resolve these types of violations alongside CRUD/FLS issues.
Reasoning References
Recommended Related Articles