The rules from v4 and v5 seems to be very differently generating AppExchange Security Review Submission report

[vc4u]

With v4, we're generating 3 separate reports, I understand, with v5, the documentation here guides to generate 2 reports (.json & .html), but the rule-selector is pointing to both 'Recommended' and 'AppExchange' rules.

But the official documentation here asks us to generate 3 reports from v4.

My two queries are:

1. Can we still submit v4 reports in our submission or are we suppose to submit v5 reports?
2. v5 reports, based on the documented command line, are including a lot more noise than what we had in v4. That means, there are a lot more things to document for Security Review team to explain our report findings, given the size of the app. And comparing the results in both, I found if the rule-selector is AppExchange then it reports same issues as were in v4, so should we not include Recommendation rule-set for sake of parity?

[johnbelosf]

Thank you - I asked the team to update the guidance we had for v4. Those docs should be live soon.

Thanks to you, we also identified a doc bug. You should run the Recommended:Security set of rules together with AppExchange.

sf code-analyzer run --rule-selector Recommended:Security --rule-selector AppExchange --output-file code-analyzer-results.json --output-file code-analyzer-report.html