FAQ-000746 - Deprecated Component Security Assessment / Component Removal and Cleanup

Current Status:SUGGESTS_CASEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What is the correct process for removing obsolete or unused components from a managed package so they are not included in security scans?
Answer
To remove obsolete or unused components from a managed package and ensure they are not included in security scans: 1. **Delete Unused Components**: Remove any components that are no longer in use from the package entirely. This is the most effective way to ensure they no longer pose a security risk. 2. **Remove Code**: If deletion isn't feasible, remove the code from Visualforce pages, Apex classes, or other components. Simply commenting out the code is not sufficient, as it may still be flagged during the scan. 3. **Thorough Cleanup**: Ensure that all unused or obsolete components are fully removed to avoid unnecessary vulnerabilities being reported. 4. **Document If Necessary**: If components can't be deleted, document the reasons and ensure they aren't invoked or accessible in the application. If unused components are accidentally included in a managed package submitted for AppExchange Security Review, document and explain them in your submission. 5. **Resubmit for Review**: After making the necessary changes, resubmit your package for a security review to confirm that the issue has been resolved. For more detailed guidance, check out these resources: - [Packaging Managed Component Deletion](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/packaging_managed_component_deletion.htm) - [Removing Metadata Components](https://developer.salesforce.com/docs/atlas.en-us.pkg2_dev.meta/pkg2_dev/sfdx_dev_dev2gp_remove_md_components.htm) This process helps maintain a clean and secure package for the security review.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules
AvoidOldSalesforceApiVersions
Question
What is the correct process for removing obsolete or unused components from a managed package so they are not included in security scans?
Recommended Answer Update
To remove obsolete or unused components from a managed package and ensure they are not included in security scans: 1. **Delete Unused Components**: Remove any components that are no longer in use from the package entirely. This is the most effective way to ensure they no longer pose a security risk. 2. **Remove Code**: If deletion isn't feasible, remove the code from Visualforce pages, Apex classes, or other components. Simply commenting out the code isn't sufficient, as it may still be flagged during the scan. 3. **Thorough Cleanup**: Ensure that all unused or obsolete components are fully removed to avoid unnecessary vulnerabilities being reported. 4. **Document If Necessary**: If components can't be deleted, document the reasons and ensure they aren't invoked or accessible in the application. If unused components are accidentally included in a managed package submitted for AppExchange Security Review, document and explain them in your submission. 5. **Resubmit for Review**: After making the necessary changes, resubmit your package for security review to confirm that the issue has been resolved. For more detailed guidance, check out these resources: - [Packaging Managed Component Deletion](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/packaging_managed_component_deletion.htm) - [Removing Metadata Components](https://developer.salesforce.com/docs/atlas.en-us.pkg2_dev.meta/pkg2_dev/sfdx_dev_dev2gp_remove_md_components.htm) This process helps maintain a clean and secure package for security review.
Reasoning
I made minimal changes to improve the conversational tone while maintaining all existing content and structure. The main changes were: 1) Changed 'is not sufficient' to 'isn't sufficient' to match the conversational style guidelines using contractions, and 2) Changed 'the security review' to 'security review' in the final sentence to be more concise and natural. I selected the AvoidOldSalesforceApiVersions rule because the FAQ discusses removing obsolete/unused components from packages, and old API versions in components would be a specific example of obsolete elements that security scans would flag. The FAQ's emphasis on removing unused components to avoid security scan issues directly relates to this rule's purpose of identifying outdated API versions that should be updated or removed.