How should I handle and document SOQL injection warnings that I believe are false positives?
Answer
To handle and document SOQL injection warnings that you believe are false positives:
1. **Review the Code**: Confirm that the flagged code is indeed a false positive and validate whether the flagged instances are truly false positives.
2. **Ensure Security Measures**: Verify that bind variables and input sanitization methods like `String.escapeSingleQuotes()` are properly implemented.
3. **Document Evidence**: Clearly document your reasoning and evidence supporting the false positive classification. Include detailed reasoning and implementation details in a false-positive report.
4. **Submit a Report**: Include this documentation in a false-positives report during the security review process. This will be evaluated without additional fees.
5. **Secure Practices**: Ensure the use of bind variables or input sanitization methods to prevent vulnerabilities.
6. **Enforce Permissions**: Verify that user permissions are correctly enforced.
7. **Avoid Risky Execution**: Ensure no dynamic queries are executed in system mode without proper validation.
If you need further clarification or help, consider submitting a case with detailed explanations and code snippets.
How should I handle and document SOQL injection warnings that I believe are false positives?
Recommended Answer Update
To handle and document SOQL injection warnings that you believe are false positives:
1. **Review the Code**: Confirm that the flagged code is indeed a false positive by thoroughly examining the flagged instances.
2. **Ensure Security Measures**: Verify that bind variables and input sanitization methods like `String.escapeSingleQuotes()` are properly implemented.
3. **Document Evidence**: Clearly document your reasoning and evidence supporting the false positive classification. Include detailed reasoning and implementation details in a false-positive report.
4. **Submit a Report**: Include this documentation in a false-positives report during the security review process. This will be evaluated without additional fees.
5. **Secure Practices**: Ensure the use of bind variables or input sanitization methods to prevent vulnerabilities.
6. **Enforce Permissions**: Verify that user permissions are correctly enforced.
7. **Avoid Risky Execution**: Ensure no dynamic queries are executed in system mode without proper validation.
If you need further clarification or help, consider submitting a case with detailed explanations and code snippets.
Reasoning
The FAQ is well-structured and accurate overall. I made minor wording improvements to eliminate redundancy: combined 'Confirm that the flagged code is indeed a false positive and validate whether the flagged instances are truly false positives' into a single, clearer statement. This preserves all the original information while improving readability without changing the length or structure.
For the related security rule selection: I selected ApexSOQLInjection because this FAQ specifically addresses 'SOQL injection warnings' in both the question and answer. The entire FAQ is focused on handling false positive warnings from SOQL injection detection tools, which directly corresponds to what the ApexSOQLInjection rule detects. The FAQ discusses proper mitigation techniques like bind variables and String.escapeSingleQuotes(), which are the exact security measures that prevent the vulnerabilities this rule identifies.