How to respond to false positives in checkmarx scan results?

How to respond to false positives in checkmarx scan results?

The following example shows how to document your responses to false positives resulting from a Checkmarx scan. The example is in tabular format, but you can use whatever format suits the reporting of your information. We implemented and called the AuthManager class to check these paths for us or throw an error.

Is there a checkmarx vulnerability in Salesforce apex?

As such this is a Checkmarx false positive and must be addressed by explaining the scenario in your submission documentation. This answer covers how you can also best to comment the relevant code to help the Salesforce Security Team navigate the report from Checkmarx.

Where do I find FLS / CRUD permissions in apex?

Whenever user posts chatter post, the post should be archived to a custom object. FLS/CRUD permissions on ArchivedFeedItem__c: System Administrator only have access. No other user have FLS/CRUD permissions on this custom object.

Are there any FLS / CRUD permissions for archivedfeeditem?

FLS/CRUD permissions on ArchivedFeedItem__c: System Administrator only have access. No other user have FLS/CRUD permissions on this custom object. So the handler class to be executed in system mode and without enforcing FLS/CRUD Custom Object ArchivedFeedItem__c.object file ArchivedFeedItem__c.object

How to find an unrecognized input in checkmarx?

In the case of an unidentified vulnerability due to an unrecognized input or output, this will be a query for finding inputs or outputs. In the example, you can see that the sanitizing query is Find_XSS_Sanitize. In the Source Code pane, right-click the unrecognized element.

When to look for a sanitation element in checkmarx?

In case of a false positive, you’re looking for a sanitation element; in case of an unidentified vulnerability – for an output (database command, operating system, or other output) or input element. In the above example, let’s say you identify that the add element in line 89 of the code actually sanitizes the input.

Is it necessary to ignore CRUD / FLS requirements?

Appreciate your help. . Since the goal of the requirement requires the code to operate against objects and fields that the contextual user may not have access to, you are forced to ignore CRUD/FLS in order to realize the requirement.