FAQ-001575 - SOQL Security and User Mode Implementation / Scanner and Tool Recognition Issues

A scanner might report an FLS issue even when using user mode DML operations because it may not fully recognize the implementation of user mode or the specific checks in place. This can happen for several reasons: 1. **Scanner limitations**: Static code analysis tools might not fully account for runtime enforcement of USER_MODE, as this feature is relatively new and scanner detection capabilities are still evolving. 2. **Incomplete enforcement**: While USER_MODE enforces sharing rules and CRUD/FLS checks at runtime, it doesn't automatically address all potential vulnerabilities or cover all scenarios. 3. **Manual checks still required**: USER_MODE does not automatically enforce field-level security (FLS) in all cases. You may need to explicitly check for FLS permissions using methods like `Schema.sObjectType` to verify field accessibility before performing database operations. To address this: - Explicitly verify field accessibility using `Schema.sObjectType` before performing DML operations when needed. - Document such cases as false positives with detailed explanations and submit them during the review process. - Include evidence of your USER_MODE implementation and runtime enforcement in your documentation.

The recommendations focus on improving clarity and precision while maintaining the original structure and points. The main changes are: (1) Changed 'You need to explicitly check' to 'You may need to explicitly check' to be more accurate - USER_MODE does handle FLS in many cases automatically, so explicit checks aren't always required. (2) Added 'when needed' to the recommendation about explicit verification to maintain consistency with the more precise language. These changes improve accuracy without removing information or changing the FAQ's scope. For the security rule ApexCRUDViolation: This rule is directly related because the FAQ specifically discusses FLS (Field-Level Security) issues that scanners report, and the ApexCRUDViolation rule detects violations of CRUD (Create, Read, Update, Delete) and FLS permissions in Apex code. The FAQ's entire focus on 'FLS issue' reporting, discussion of 'USER_MODE enforces sharing rules and CRUD/FLS checks', and recommendations to 'explicitly verify field accessibility using Schema.sObjectType' directly relate to what the ApexCRUDViolation rule is designed to detect and prevent.