To resolve or document a false positive for SOQL injection, follow these steps:
1. **Identify the Location**: Clearly specify the code location of the reported vulnerability.
2. **Provide an Explanation**: Include a detailed explanation of why the flagged code is not a security vulnerability. Justify this with specific use cases, circumstances, or exceptions.
3. **Validate the Code**: Review the flagged code to confirm it's a false positive. Ensure proper input validation and sanitization are in place.
4. **Use Bind Variables**: Replace user-supplied input in SOQL queries with bind variables to safely handle input.
5. **Sanitize Input**: If bind variables aren't an option, use methods like `String.escapeSingleQuotes()` to sanitize input, combined with other validation methods.
6. **Implement Whitelisting**: For dynamic queries, use a whitelist of acceptable object and field names (e.g., via `Schema.getGlobalDescribe()`) and validate user input against it.
7. **Document False Positives**: Clearly document your justification, including detailed reasoning and evidence, in a false positive document.
8. **Submit for Review**: Include the false positive document in your submission, ensuring all flagged issues are reviewed and addressed.
9. **Follow Secure Practices**: Avoid executing user-generated queries in Apex (which runs in system mode). Use secure alternatives like REST or SOAP APIs for complex queries.
For SOQL injection specifically, ensure:
- **Bind Variables**: Verify that bind variables are used to prevent user-controlled input from influencing the query.
- **Input Sanitization**: Validate and whitelist acceptable values.
- **Secure Coding Practices**: Confirm the use of methods like escaping single quotes and avoiding unvalidated dynamic query construction.
Submit this explanatory document with your security review or resubmission. It will support your case if the issue is indeed a false positive.