Working with the Fix Report

The fix report page allows you to browse through the fixes available for your project

Fix Report Overview

The top banner provides users with the following information:

Overview of the fix report, such as the name of the project, repository link, branch name, git hash, and whether there are code version issues.
Analysis version: If multiple versions are available, click on the drop-down to select other previous runs.
Report expiry. (default is 2 weeks). If extension is required, click on the 3 dots to extend it by 30 days.
Fix status: Calculates the number of fixes in ready, committed, and downloaded status.
Top issues by Type: This chart shows the number of fixes available by top issue types.

Issue Categorization

The issues reported by your SAST report will be categorized into one of 3 categories: Fixable issues, Irrelevant Issues, and Remaining Issues. See below for more details

Issue Categorization - Fixable Issues

By selecting the "Fixable Issues" category. Your fix report will display the actionable fixes that you can review and commit directly to your repository.

Issue Categorization - Irrelevant Issues

By selecting "Irrelevant Issues", you will be able to see issues that are most likely false positives or irrelevant to your current context. There are various types of reasonings that you may observe when you are in this view:

- Autogenerated code refers to code that is generated automatically by tools or frameworks as part of the build or runtime process. This categorization highlights that the issue resides in non-manual code, which often requires tool-specific solutions or exemptions.
- False positive indicates the finding reported in your SAST report is not a real security issue and is potentially incorrectly flagged by the SAST tool. The specific reasoning will be outlined
- Test code refers to code that resides in a test-specific path or context. This categorization indicates that it supports testing scenarios and is isolated from production use.
- Suppressed indicates the issue was suppressed in the scan report (Mostly applies to Fortify results).
Auxiliary Code - Code that is included in the codebase but does not impact the application's runtime behavior or security posture.

Here is an example of a False Positive detection in action:

Issue Categorization - Remaining Issues

By selecting the "Remaining Issues" category, you will see the list of issues that Mobb does not have a fix yet.

Due to Mobb's mandate to only release deterministic and validated fixes, certain issues in your SAST report will not be fixed by Mobb yet. If you'd like Mobb to fix these issues, please reach out to us at [email protected]!

Bulk Commits

Once you have reviewed fixes for a particular issue type, you have the option of committing multiple fixes at the same time. To do so,

Select the checkbox for the issue type
Confirm the number of fixes you will be committing
Select either "Commit Fixes" or "Download"
If "Commit Fixes" is selected, this will bring up the "Commit changes" screen which will allow you to submit the fixes

Search and filtering fixes

You can filter the fixes by using the "Add filter" button. There are different filter parameters available:

Dev Owner
Issue Type
Status
Confidence
PowerUp
Severity
Language
Effort

Fixing Effort

Fixing effort is an indicator of the level of effort required to complete a particular fix. This can be viewed in the fix report page under the "Effort" column as shown:

Currently, there are 3 levels of fixing effort:

Easy / One-click fix - Mobb has all the information it needs, and no further actions are required.
Additional Actions Required - Mobb has most of the info it needs, but provides you with the opportunity to influence the fix further.
Dev research required - Mobb has most of the info it needs, but may require you to perform some additional research to validate and finalize the fix.

PreviousAutomate Mobb in a CI/CD pipeline NextMobb CLI Overview

Last updated 3 days ago

Was this helpful?