FAQ-000373 - Code Removal and Vulnerability Persistence / Complete Code Removal

To address security issues in unused or legacy code during the AppExchange Security Review: 1. **Remediate or Document**: Either fix the issues or document them as false positives if the code is no longer in use and cannot be removed. 2. **Provide Documentation**: Clearly explain why the flagged issues are nonexploitable or irrelevant to your solution's functionality. 3. **Use Tools**: Utilize the Salesforce Code Analyzer and Source Code Scanner to identify issues. 4. **Submit Documentation**: Upload the false-positives documentation along with your scan reports in the security review wizard. 5. **Get Help**: If needed, schedule an appointment with the Product Security team through the Partner Security Portal. For more details, refer to the AppExchange Security Review guidelines.

The FAQ content is accurate and well-structured, addressing a common scenario during security reviews. Only minor improvements were made to enhance clarity and conversational tone: changed 'Seek Assistance' to 'Get Help' for more natural language, and simplified 'you can refer to' to just 'refer to' to reduce wordiness. The content appropriately covers the proper approach to handling legacy code security issues. No security rules were selected because this FAQ addresses process and documentation aspects of handling legacy code during security review, rather than specific code vulnerability detection or prevention that the available rules focus on. The security rules in the list are primarily designed to detect specific vulnerabilities in active code (like SOQL injection, XSS, CRUD violations, etc.), while this FAQ deals with the administrative process of documenting and explaining why flagged code in unused/legacy sections should be considered false positives.