We are submitting our app for security review. We have an ASP.Net web application that consumes few Salesforce APIs. The Burp scanner raised few OS, Ruby, Python and PHP injection errors. But we don't have ruby, python or php installed on the server on which our application is running. We are also not executing any OS level commands in our code. We want to flag these as false positives. There's 1 false positive in the Force.com scan report also. But I am not sure of the format of this document and what all information is required by the review team. Does anyone have any sample false positive documents which they submitted to Salesforce?
Best Answer
There is no specific temple/format as such.
You should just make sure you address following points.
I had created my own temple but can not share due to IP restriction.
Salesforce security review team is really smart and they will understand your point quickly if you provide valid explanation with details.