FAQ-000356 - Code Quality vs Security Vulnerabilities / Static Analysis Tool Issues and Fixes

The most common issues flagged by static analysis tools in the AppExchange Security Review and their typical fixes include: 1. **CRUD/FLS Violations**: - Fix by ensuring all operations on objects and fields respect user permissions. Use `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce permissions. Manual checks like `isAccessible`, `isCreateable`, `isUpdateable`, and `isDeletable` are also valid approaches. 2. **Sharing Violations**: - Address sharing violations, especially in batch classes and custom objects. For standard objects, ensure DML operations respect sharing rules. 3. **Insecure Storage of Sensitive Data**: - Use secure storage mechanisms like Named Credentials for API authentication or Custom Settings/Custom Metadata Types for other sensitive information instead of hardcoding credentials in your code. 4. **False Positives**: - Document non-exploitable or invalid vulnerabilities in a False Positive (FP) document with justifications. 5. **General Vulnerabilities**: - Use tools like Salesforce Code Analyzer and Checkmarx to identify vulnerabilities during development. Follow up with manual testing for thorough coverage. After addressing these issues, resubmit the solution with updated scan reports to pass the security review.

The changes prioritize modern security features while preserving all existing information. For CRUD/FLS violations, I added WITH USER_MODE and AccessLevel.USER_MODE as preferred approaches while clarifying that manual permission checks remain valid. For insecure storage, I specifically mentioned Named Credentials as the preferred solution for API authentication, which better aligns with the ApexSuggestUsingNamedCred rule. All other points remain unchanged. Security rules selected: - ApexCRUDViolation: Directly relates to point 1 about CRUD/FLS violations and the need to check permissions before database operations - ApexSharingViolations: Directly relates to point 2 about addressing sharing violations in batch classes and custom objects - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: All relate to point 3 about insecure storage of sensitive data and avoiding hardcoded credentials - ApexSuggestUsingNamedCred: Relates to point 3's recommendation to use secure storage mechanisms, specifically Named Credentials for API keys and authentication