FAQ-001642 - Salesforce Platform Security Responsibility / False Positive Identification and Documentation

Current Status:SUGGESTS_CASEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
When are security findings actually false positives related to standard functionality?
Answer
Security issues can be considered false positives when they involve platform functionality rather than package code in the following situations: 1. **Platform Behavior vs Package Code**: - Vulnerabilities like SQL Injection or Path Traversal that are related to platform behavior and not the package itself - The use of `userinfo.getsessionId` for Metadata API access - Certain CRUD/FLS checks flagged by scanners that align with approved platform use cases or configurations 2. **Non-Exploitable Issues**: - Functionality inherent to the platform or intended by design - Flagged code that is nonexploitable or does not involve sensitive data - Code required to support valid use cases 3. **Standard Functionality**: - When the flagged issue does not pose a real security vulnerability - Issues that are part of standard Salesforce features and cannot be modified To address these, provide proper documentation explaining why the issue is a false positive, including the code location and rationale, during the security review process. It's important to provide detailed documentation and open a case for review to confirm these classifications.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolationsApexSOQLInjectionApexOpenRedirectAvoidApiSessionIdAvoidUnauthorizedGetSessionIdInApex
Question
When are security findings actually false positives related to standard functionality?
Recommended Answer Update
Security issues can be considered false positives when they involve platform functionality rather than package code in the following situations: 1. **Platform Behavior vs Package Code**: - Vulnerabilities like SOQL Injection or Open Redirect that are related to platform behavior and not the package itself - The use of `UserInfo.getSessionId()` for Metadata API access - Certain CRUD/FLS checks flagged by scanners that align with approved platform use cases or configurations 2. **Non-Exploitable Issues**: - Functionality inherent to the platform or intended by design - Flagged code that is non-exploitable or does not involve sensitive data - Code required to support valid use cases 3. **Standard Functionality**: - When the flagged issue does not pose a real security vulnerability - Issues that are part of standard Salesforce features and cannot be modified To address these, provide proper documentation explaining why the issue is a false positive, including the code location and rationale, during the security review process. It's important to provide detailed documentation and open a case for review to confirm these classifications.
Reasoning
Minor improvements made for clarity and accuracy: (1) Changed 'SQL Injection' to 'SOQL Injection' to use the correct Salesforce terminology, (2) Changed 'Path Traversal' to 'Open Redirect' as this is more commonly flagged in Salesforce contexts, (3) Corrected the capitalization of 'UserInfo.getSessionId()' to match proper Apex syntax, and (4) Fixed the spelling of 'nonexploitable' to 'non-exploitable' for better readability. All security rules selected are directly relevant to the FAQ content: ApexCRUDViolation relates to the CRUD/FLS checks mentioned in point 1, ApexSharingViolations relates to sharing rule violations that could be false positives, ApexSOQLInjection relates to the SOQL injection mentioned as a potential false positive, ApexOpenRedirect relates to redirect vulnerabilities mentioned, AvoidApiSessionId and AvoidUnauthorizedGetSessionIdInApex both relate to the UserInfo.getSessionId() usage mentioned for Metadata API access which is cited as a common false positive scenario.
Reasoning References