FAQ-000536 - Custom Settings and Configuration Security / Security Review and Compliance

To resolve Data Flow Analysis (DFA) scan errors that prevent successful security review submission: 1. **Review Specific Errors**: Identify issues flagged by the DFA scan, such as CRUD/FLS validations or source and sink identification. 2. **Address CRUD/FLS Issues**: Use `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods where possible to automatically enforce permissions. You can also implement additional CRUD/FLS checks if needed. 3. **Verify Custom Permissions**: Ensure custom permissions at entry points are properly configured, as these will be evaluated during the review. 4. **Document False Positives**: Create a false positive (FP) document detailing the controls or fixes implemented to address flagged issues. 5. **Troubleshoot Source and Sink Issues**: Refer to Salesforce Graph Engine documentation and related resources for guidance on resolving these issues. 6. **Rescan and Submit**: After making fixes, rescan your package and submit updated reports along with the FP document, if applicable. For further help, you can schedule a technical office hours appointment with the Product Security team.

The main improvement focuses on step 2 regarding CRUD/FLS issues. The original answer only mentioned using 'user mode' generically and implementing additional checks. Following the security approaches guidelines, I updated this to specifically mention the modern approaches: `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods, while still preserving the option for additional checks. This provides clearer, more actionable guidance while maintaining all existing information. For related security rules: - ApexCRUDViolation: This rule directly relates to the FAQ's discussion of "CRUD/FLS validations" and "CRUD/FLS issues" mentioned in steps 1 and 2. The FAQ is specifically about resolving DFA scan errors that include CRUD violations. - ApexSharingViolations: This rule relates to the FAQ's mention of source and sink identification issues in DFA scans, as sharing violations are commonly flagged security issues that need to be resolved during the security review process.