Frequently Asked Questions (FAQ)
Last updated
Was this helpful?
Last updated
Was this helpful?
Please check if your Azure DevOps organization allows for Third-party application access via OAuth, to do so, navigate to your Organization Settings. Next, go to Policies -> Third-party application access via OAuth. Make sure the toggle is set to On.
Yes, Mobb is completely free for open-source projects and always will be. Mobb is committed to supporting open-source maintainers.
At Mobb, our testing process is rigorous. We leverage a dataset with nearly 2,000 open-source projects, along with a substantial collection of synthetic code samples, to research and validate our deterministic fixes. We continuously verify the accuracy of our fixes, with close to 3,500 unique tests (and growing) automatically run on each code change. As we grow our fix coverage, for any new issue type or supported pattern that is being added, so does the number of unique tests grows.
This extensive dataset provides our researchers with a broad range of vulnerable patterns reported by SAST tools in real-world applications. When a new fix is developed, it undergoes thorough testing to ensure accuracy, adherence to the syntax and format of the original code, and consistency across variations of the same vulnerability pattern. We also verify that our fixes are free from hallucinations and are recognized by the SAST tools, ensuring reliable and consistent remediation.
We leverage GenAI models hosted on AWS. Our platform uses a variety of models, and we constantly evaluate new models to ensure we always use the best model for a given task and, when needed, use different models for different tasks. We also have a strict policy around our use of GenAI; see page for more detail.
No. None of the uploaded artifacts (report or code) is being stored in our DB. It is only cached for a duration of 2-weeks to allow the developers to interact with it when needed and then purged from our environment.
Yes.
Both single-tenant and multi-tenant options are available.
Amazon Web Services (AWS)
We are SOC2 Type 2 compliant audited by EY. Mobb was built with a security first mindset from the early days and started working on it even before we had a product. We received our first certification when we were still in our beta stage.
We designed Mobb to address all supported issues, irrespective of their exploitability level. For example, in the case of an injection-style vulnerability, if the user input isn't directly processed in a particular code segment and is erroneously flagged by SAST, it remains uncertain whether this vulnerable code might be copied or invoked from another section of the application later on, rendering it vulnerable. Our approach is to resolve the issue regardless. This ensures compliance with the SAST scanner, thereby benefiting both development and security teams.
Mobb uses contributing developers as the licensing unit.
Mobb defines contributing developers as developers who, in the last 90 days, committed code to a repo Mobb is used to fix issues in.
From the Report page:
From the Fix page:
On the Fix Report page, hover over the (!) icon next to the text "Available Fixes" to see the number of issues fixed compared to the number of issues in the original SAST report.
Mobb currently standardizes the issue names in the user interface, as different SAST providers have different names for the same issue type (e.g., Path Traversal vs. Path Manipulation). If you wish to see the original name as provided by your SAST provider, simply hover over the issue name in the Fix Report page, and a tooltip will appear that shows the original issue name.
When an existing fix is improved, the Mobb app indicates this status and offers to rerun the analysis with one click. After the rerun, the app indicates which fixes are "fresh," meaning they are new compared to the previous run.
If you wish to provide feedback on a specific fix, you can do so on the Fix page by using the "Thumbs Up" or "Thumbs Down" buttons on the top right.
A pop-up screen will open that allows you to rate the fix and specify the reason why you provided the rating. A comment box is also available for you to provide more details.
postmaster@mail.mobb.ai
app@mail.mobb.ai
Adding these to your email whitelist should help ensure you receive our messages.
No, a DPA is not required because Mobb does not process, store, or access any personal data on behalf of our customers. Our solution analyzes static code and security findings without handling any user, or production data. Since we do not act as a data processor under GDPR or similar regulations, a DPA is unnecessary.
Once you click "Create a Pull Request" after reviewing a fix, Mobb will begin creating the PR in the background. You’re free to navigate away from the page—there’s no need to wait.
The PR status will be displayed at the top of the screen:
In progress: The PR is still being created.\
Completed: The PR has been successfully created, and a direct link to the PR will be shown.
Mobb retains a record of all previous commits and provides a link to the commit in both the report page as well as the fix page. Simply look for the commit icon:
You also have the ability to "Archive Fix". Archived fixes will be relocated to the bottom of the Fix Report, and will be excluded from the .
When you sign up or when your administrator invites you to join Mobb, we send a confirmation or invitation email. If you're not seeing these in your inbox, please contact us at . These automated emails are generally sent from one of the following addresses:
