FAQ-000357 - Code Quality vs Security Vulnerabilities / Static Analysis Tool Issues and Fixes

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
Do code quality issues from static analysis tools need to be fixed for security review, and are they treated as security concerns?
Answer
Code quality issues identified by static analysis tools do not necessarily need to be completely fixed for the AppExchange Security Review. Code quality issues like "DML Statements Inside Loops" are not treated as security concerns during the AppExchange Security Review - these are considered code quality issues and do not impact the security review process. However, addressing such issues is recommended for better code performance and maintainability. The key requirement is to run the scans, address all fixable violations, re-run the scans, and submit the report. If there are issues like false positives that cannot be fixed, the AppExchange Security team takes these into account during their review. The focus is on addressing all fixable violations, re-running the scans, and submitting the updated report. Unfixable issues, such as false positives, are considered by the AppExchange Security team during their review.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolations
Question
Do code quality issues from static analysis tools need to be fixed for security review, and are they treated as security concerns?
Recommended Answer Update
Code quality issues identified by static analysis tools don't necessarily need to be completely fixed for the AppExchange Security Review. Code quality issues like "DML Statements Inside Loops" aren't treated as security concerns during the AppExchange Security Review - these are considered code quality issues and don't impact the security review process. However, addressing such issues is recommended for better code performance and maintainability. The key requirement is to run the scans, address all fixable violations, re-run the scans, and submit the report. If there are issues like false positives that can't be fixed, the AppExchange Security team takes these into account during their review. The focus is on addressing all fixable violations, re-running the scans, and submitting the updated report. Unfixable issues, such as false positives, are considered by the AppExchange Security team during their review.
Reasoning
The answer was improved for clarity and tone by using contractions (don't, aren't, can't) and more conversational language as specified in the brand guidelines. The core message and structure remain unchanged - just refined for better readability while maintaining all original points about code quality vs security concerns, the scan process, and handling false positives. Regarding security rules: ApexCRUDViolation was selected because this rule detects missing CRUD (Create, Read, Update, Delete) permission checks in Apex code, which is a security concern that would be flagged by static analysis tools during the security review process. The FAQ discusses how static analysis tools identify different types of issues, and CRUD violations would be among the security-related findings that need attention. ApexSharingViolations was selected because this rule identifies sharing rule violations in Apex code, another category of security issue that static analysis would detect. The FAQ's distinction between "code quality issues" and actual security concerns directly relates to these types of security rules that would require fixes versus performance-related issues that might not.
Reasoning References