REST API Common Deployment Scenarios

Using GET Issues v5 API with False Positive Support

The GET Issues v5 API endpoint provides enhanced functionality over previous versions, including false positive support and improved filtering capabilities. This guide demonstrates how to use the v5 endpoint effectively.

Overview

The v5 issues endpoint (/api/rest/v5/issues) offers several key enhancements:

False Positive Support: Access fpDescription field for false positive information
Enhanced Metadata: Includes createdAt and fingerprintHash fields
Vulnerability Tags: Access vulnerabilityReportIssueTags array
Improved Filtering: Filter by fixReportId parameter for targeted queries

Step 1: Get Available Fix Reports (`GET fix-reports v2`)

First, retrieve all available fix reports to identify the ones you want to query:

curl -X GET "https://api.mobb.ai/api/rest/fix-reports" \
  -H "x-mobb-key: YOUR_API_KEY" \
  -H "Content-Type: application/json"

Sample Response:

{
  "getReportsApiV2": {
    "fixReport": [
      {
        "id": "f1fdee4c-9a62-4913-a179-18d07ec11a0e",
        "createdOn": "2024-01-10T23:41:53.650049+00:00",
        "expirationOn": "2024-01-24T23:41:53.650049+00:00",
        "createdByUser": {
          "email": "[email protected]",
          "id": "1f7ba60a-b4b8-4a08-91b9-d3a8c4af814d"
        },
        "vulnerabilityReport": {
          "vendor": "snyk",
          "project": {
            "id": "276cd1ed-64b7-496e-ad14-98eb6f55d5e0",
            "name": "My first project"
          }
        },
        "repo": {
          "name": "mobb-circleci-integration",
          "originalUrl": "https://github.com/antonychiu2/mobb-circleci-integration",
          "reference": "main"
        }
      }
    ]
  }
}

Step 2: Query Issues with Fix Report ID (`GET issues v5`)

Use the fix report ID from Step 1 to get issues with enhanced metadata and false positive information:

curl -X GET "https://api.mobb.ai/api/rest/v5/issues?fixReportId=f1fdee4c-9a62-4913-a179-18d07ec11a0e" \
  -H "x-mobb-key: YOUR_API_KEY" \
  -H "Content-Type: application/json"

Step 3: Understanding the v5 Response

The v5 response includes enhanced fields not available in previous versions:

Key New Fields:

fpDescription: Description when an issue is marked as false positive
createdAt: Timestamp when the issue was created
fingerprintHash: Unique fingerprint for the issue
vulnerabilityReportIssueTags: Array of tags associated with the issue

Sample v5 Response:

{
    "getIssuesApiV5": {
        "vulnerability_report_issue": [

            {
                "id": "dda692d7-0bd4-46b9-a978-3bbb09ac583f",
                "vendorInstanceId": null,
                "vendorIssueId": "371",
                "issueType": "browser.security.insecure-document-method",
                "severity": "error",
                "issueLanguage": "javascript",
                "state": "FalsePositive",
                "createdAt": "2025-10-22T19:10:24.36944+00:00",
                "fingerprintHash": "413f05ef11f75684c85c0d09f132770a",
                "vulnerabilityReportIssueTags": [
                    {
                        "vulnerability_report_issue_tag_value": "FALSE_POSITIVE"
                    }
                ],
                "fix": null,
                "fpDescription": "This issue is a false positive. This is not an XSS vulnerability. The code is setting innerHTML to a hardcoded constant value (wysihtml5.INVISIBLE_SPACE = '\\uFEFF') which is a Unicode zero-width no-break space character. There is no user-controlled input being inserted into the DOM - only a predefined, safe constant string. The value is not derived from any external source, user input, or dynamic data that could contain malicious content."
            }
        ],
        "hasNextPage": false
    }
}

Filtering Options

Filter by Specific Issue ID

curl -X GET "https://api.mobb.ai/api/rest/v5/issues?issueId=abc12345-e89b-12d3-a456-426614174003" \
  -H "x-mobb-key: YOUR_API_KEY"

Filter by Fix Report ID

curl -X GET "https://api.mobb.ai/api/rest/v5/issues?fixReportId=123e4567-e89b-12d3-a456-426614174000
  -H "x-mobb-key: YOUR_API_KEY"

Common Use Cases

Quality Assurance: Review fpDescription to understand why issues were marked as false positives
Issue Suppression for SAST Scanners: Use false positive descriptions to improve scanning accuracy
Reporting: Generate reports showing false positive rates and reasons
Issue Tracking: Track issue lifecycle with createdAt timestamps and fingerprintHash for deduplication

Best Practices for using `GET issues v5`

Use Fix Report ID Filtering: Always filter by fixReportId when querying specific fix reports to reduce the response size.
Handle Pagination: Check hasNextPage field and implement pagination for large result sets. If the result set exceeds 1000 entries, the response will be trucated with hasNextPage set to true. To obtain the full result set, the user will need to capture the last issueId and re-run the same API again by supplying the issueId to obtain the next 1000 results. Repeat until hasNextPage returns false.
The issue result sets are chronologically ordered from earliest to latest

Parsing Fix Confidence and Fix Rating from Fix Report Details API

This guide explains how to interpret the response from the GET fix-reports/{fixReportId} API.

How to obtain fix confidence status

The confidence field in the API response allows you to determine if a fix is considered "Stable" or "Adaptive".

"confidence": 90: indicates Stable Fix, which are deterministic fixes
"confidence": 50: indicates Adaptive Fix, which are fixes generated using intelligent AI techniques that may require closer review.

For more details on Stable vs Adaptive fixes, see Working with the Fix Report.

Sample Output (Truncated):

{
    "fixReport": [
        {
            "fixes": [
                {
                    "id": "51c6cce5-8374-4357-bda8-9a8e03f98e4b",
                    "safeIssueType": "SQL_Injection",
                    "confidence": 90,
                }
            ]
        }
    ]
}

How to obtain Fix Rating

The sharedState object contains the fixRatings array, which details user sentiment and feedback on a fix.

Vote Score (voteScore):
- 1: Thumbs Up
- -1: Thumbs Down
Fix Rating Tag (fixRatingTag): Reason for rejection (if voteScore is -1).
- Values: BAD_PATTERN, BREAKING_FIX, FALSE_POSITIVE, OTHER, UNRESOLVED_FIX
Comments (comment): Improved context provided by the user.
User Info: email and name of the reviewer.

For more information on how to submit feedback via the UI, see Providing Fix Feedback.