Retrieving a Concise False Positive Summary

Overview

When Mobb marks an issue as a false positive, it generates a detailed fpDescription explaining exactly why the issue is not a real vulnerability. These descriptions are intentionally thorough — often spanning multiple paragraphs — to provide developers and security engineers with a complete rationale.

However, in many integration scenarios, a full-length explanation is impractical. For example:

SAST scanner suppression comments embedded directly in source code have strict character limits.
Ticketing systems (e.g., Jira, Linear) benefit from a concise one-line summary rather than a wall of text.
Dashboards and reports that surface FP justifications inline need a short, readable blurb.
CI/CD pipeline logs where brevity improves readability.

The GET /api/rest/fp-summary endpoint solves this by returning a trimmed version of the false positive description — capped at 280 characters.

Step 1: Identify the False Positive Issue and Capture Its `fpId` (`GET issues v5`)

Query the v5 issues endpoint, filtering by your fix report ID. In the response, look for issues with "state": "FalsePositive" — these entries include an fpId field that uniquely identifies the false positive record.

curl -X GET "https://api.mobb.ai/api/rest/v5/issues?fixReportId=a210dd07-a9df-4c2b-ad89-22343a580148" \
  -H "x-mobb-key: YOUR_API_KEY" \
  -H "Accept: application/json"

Sample Response (relevant fields shown):

{
    "getIssuesApiV5": {
        "vulnerability_report_issue": [
            {
                "id": "2df47df3-b139-4d6b-bf04-ac06bc514ef4",
                "vendorIssueId": "257",
                "issueType": "XSS",
                "severity": "error",
                "issueLanguage": "javascript",
                "state": "FalsePositive",
                "createdAt": "2026-03-04T18:10:11.439502+00:00",
                "fingerprintHash": "3c448e02f9ce40437d49864480ddffae",
                "vulnerabilityReportIssueTags": [
                    {
                        "vulnerability_report_issue_tag_value": "FALSE_POSITIVE"
                    }
                ],
                "fix": null,
                "fpId": "e0d33c87-8602-4267-a720-190ef66c8a54",
                "fpDescription": "This issue is a false positive. The flagged code at lines 430-442 involves retrieving a user record from the database using `req.params.userid`, updating the user's status field with a validated value from `req.body.status`, and then saving the record. On line 442, if an error occurs during the save operation, `res.status(500).send(err)` is called. This is NOT an XSS vulnerability because:\n\n1. The `err` object is a server-side error object generated by the database/ORM layer (likely Mongoose based on the `.save()` pattern), not user-controlled input.\n\n2. The `req.params.userid` is used only for database lookup and is never rendered in HTML context in this code path.\n\n3. The `req.body.status` value is strictly validated on lines 425-428 to only allow 'active' or 'inactive' before being assigned to the user object.\n\n4. The error response on line 442 sends the error object directly via Express's `res.send()`, which will serialize it as JSON or text. This is not a DOM manipulation or HTML rendering context where XSS could occur.\n\n5. While sending raw error objects to clients is poor practice from an information disclosure perspective, it does not constitute XSS as there is no user-controlled data being reflected into an HTML/JavaScript execution context.\n\nThe trace does not show any path where user input reaches a DOM sink like innerHTML, document.write(), or similar XSS-prone methods."
            }
        ],
        "hasNextPage": false
    }
}

Note the fpId value (e0d33c87-8602-4267-a720-190ef66c8a54) from the response — you will use this in the next step.

Step 2: Retrieve the Concise FP Summary (`GET fp-summary`)

Pass the fpId captured in Step 1 to the /api/rest/fp-summary endpoint to retrieve a condensed, 280-character-maximum summary of the false positive justification:

curl -X GET "https://api.mobb.ai/api/rest/fp-summary?fpId=e0d33c87-8602-4267-a720-190ef66c8a54" \
  -H "x-mobb-key: YOUR_API_KEY" \
  -H "Accept: application/json"

Sample Response:

{
    "getFpSummary": {
        "fpId": "e0d33c87-8602-4267-a720-190ef66c8a54",
        "fpDescriptionShort": "[marked FP by Mobb] False positive flagged as XSS; error is DB/ORM-generated, params are non-HTML rendered, body input is validated, and error is JSON serialized, not reflective in HTML/JS context."
    }
}

The fpDescriptionShort field contains the concise summary, ready to be embedded in code comments, tickets, or pipeline output.

PreviousParsing Fix Confidence and Fix Rating NextTracking Fix Lifecycle Metrics

Last updated 28 days ago

Overview

Step 1: Identify the False Positive Issue and Capture Its fpId (GET issues v5)

Step 2: Retrieve the Concise FP Summary (GET fp-summary)

Step 1: Identify the False Positive Issue and Capture Its `fpId` (`GET issues v5`)

Step 2: Retrieve the Concise FP Summary (`GET fp-summary`)