FAQ-001600 - SQL Injection and Input Validation / False Positive Identification and Documentation

If you believe the security scanner has incorrectly identified a SOQL injection vulnerability: 1. **Document the Issue**: Record the details in a False Positive (FP) document, explaining why the flagged issue isn't exploitable or valid. 2. **Provide Explanations**: Include detailed reasoning and evidence supporting your claim. 3. **Follow Secure Practices**: Ensure your code uses secure practices like bind variables or input sanitization to prevent actual vulnerabilities. 4. **Submit During Review**: Provide the FP document as part of the security review process. For further clarification, you can also consult the Salesforce Secure Coding Guidance.

The FAQ content is well-structured and accurate, requiring only minor language refinements for clarity. I changed 'is not exploitable' to 'isn't exploitable' to maintain the conversational tone specified in the guidelines, which calls for using contractions to sound more natural and friendly. For the related security rule, I selected ApexSOQLInjection because this FAQ directly addresses situations where developers believe this specific rule has incorrectly flagged their code. The FAQ's question explicitly mentions 'SOQL injection vulnerability' and the answer provides guidance on how to document and dispute when the ApexSOQLInjection scanner rule produces false positives. The entire FAQ is centered around helping developers respond to ApexSOQLInjection rule violations that they believe are incorrect, making this rule directly applicable to the FAQ's content and purpose.