FAQ-000363 - Code Quality vs Security Vulnerabilities / Unused and Obsolete Code Management

The security review process requires that all vulnerabilities, including those in unused or unreachable code, be addressed. If such code contains vulnerabilities, it must either be removed or updated to resolve the issues. The review findings are representative of issues that need to be fixed across the entire solution, and unresolved vulnerabilities, even in unused code, can lead to a failed review.

The current answer is already well-structured and accurate. No security rules were selected because this FAQ addresses the policy and process for handling vulnerabilities in unused code during security review, rather than discussing specific technical vulnerabilities that would be detected by security scanner rules. The security rules in the available list are designed to detect specific types of vulnerabilities (like SOQL injection, XSS, CRUD violations, etc.) in active code, not to govern the policy decisions about how to handle unused code containing such vulnerabilities. The FAQ is asking about the review process and policy, not about the technical detection of vulnerabilities themselves. The answer correctly states that all vulnerabilities must be addressed regardless of code reachability, which is a sound security practice that prevents future issues if unused code becomes active.