Frequently Asked Questions (FAQ)

I cannot connect my Azure DevOps repository even after Mobb says "Token acquired, you may close this tab".

Please check if your Azure DevOps organization allows for Third-party application access via OAuth, to do so, navigate to your Organization Settings. Next, go to Policies -> Third-party application access via OAuth. Make sure the toggle is set to On.

Is Mobb free for open-source projects?

Yes, Mobb is completely free for open-source projects and always will be. Mobb is committed to supporting open-source maintainers.

How does Mobb test its fixes?

At Mobb, our testing process is rigorous. We leverage a dataset with nearly 2,000 open-source projects, along with a substantial collection of synthetic code samples, to research and validate our deterministic fixes. We continuously verify the accuracy of our fixes, with close to 3,500 unique tests (and growing) automatically run on each code change. As we grow our fix coverage, for any new issue type or supported pattern that is being added, so does the number of unique tests grows.

This extensive dataset provides our researchers with a broad range of vulnerable patterns reported by SAST tools in real-world applications. When a new fix is developed, it undergoes thorough testing to ensure accuracy, adherence to the syntax and format of the original code, and consistency across variations of the same vulnerability pattern. We also verify that our fixes are free from hallucinations and are recognized by the SAST tools, ensuring reliable and consistent remediation.

Do you have more information on the backend AI technology being used?

We leverage GenAI models hosted on AWS. Our platform uses a variety of models, and we constantly evaluate new models to ensure we always use the best model for a given task and, when needed, use different models for different tasks. We also have a strict policy around our use of GenAI; see Data Protection and Retention page for more detail.

Does you copy and store the SAST report and code in your own database?

No. None of the uploaded artifacts (report or code) is being stored in our DB. It is only cached for a duration of 2-weeks to allow the developers to interact with it when needed and then purged from our environment.

Is the Mobb platform a SaaS product only?

Yes.

Is the Mobb platform a multi-tenant solution?

Both single-tenant and multi-tenant options are available.

Where is the Mobb platform hosted?

Amazon Web Services (AWS)

What audits and assurances are being conducted on the Mobb platform?

We are SOC2 Type 2 compliant audited by EY. Mobb was built with a security first mindset from the early days and started working on it even before we had a product. We received our first certification when we were still in our beta stage.

How does Mobb deal with False Positive SAST findings?

Mobb automatically categorizes SAST findings into three categories: Fixable Issues, Irrelevant Issues, and Remaining Issues. False positives are identified and placed in the "Irrelevant Issues" category.

When you select "Irrelevant Issues" in your fix report, you'll see issues that are most likely false positives or irrelevant to your current context. Mobb provides specific reasoning for why each issue is categorized as irrelevant, including:

• False positive - The finding reported in your SAST report is not a real security issue and is potentially incorrectly flagged by the SAST tool. The specific reasoning will be outlined.

• Autogenerated code - Issues in code that is generated automatically by tools or frameworks

• Test code - Issues in code that resides in test-specific paths or contexts

• Suppressed - Issues that were suppressed in the scan report (mostly applies to Fortify results)

• Auxiliary Code - Code that is included in the codebase but does not impact the application's runtime behavior or security posture

This intelligent categorization helps development and security teams focus their efforts on legitimate security issues while automatically filtering out false positives and irrelevant findings. For genuine vulnerabilities that may appear as false positives due to context, Mobb still provides fixes to ensure compliance with SAST scanners and prevent potential future exploitation if the code is copied or invoked elsewhere in the application.

How is Mobb licensed?

Mobb uses contributing developers as the licensing unit.

How does Mobb define contributing developers?

Mobb defines contributing developers as developers who, in the last 90 days, committed code to a repo Mobb is used to fix issues in.

How do I find out which fixes were previously committed?

Mobb retains a record of all previous commits and provides a link to the commit in both the report page as well as the fix page. Simply look for the commit icon:

From the Report page:

From the Fix page:

How do I find out the total number of fixes available compared to the total number of findings in the original SAST report?

On the Fix Report page, hover over the (!) icon next to the text "Available Fixes" to see the number of issues fixed compared to the number of issues in the original SAST report.

Mobb uses a different naming convention for the issue name compared to the ones used by my SAST provider. How do I see the original issue name?

Mobb currently standardizes the issue names in the user interface, as different SAST providers have different names for the same issue type (e.g., Path Traversal vs. Path Manipulation). If you wish to see the original name as provided by your SAST provider, simply hover over the issue name in the Fix Report page, and a tooltip will appear that shows the original issue name.

How can I tell if a new fix is available?

When an existing fix is improved, the Mobb app indicates this status and offers to rerun the analysis with one click. After the rerun, the app indicates which fixes are "fresh," meaning they are new compared to the previous run.

How do I provide feedback to the Mobb team on a specific fix?

If you wish to provide feedback on a specific fix, you can do so on the Fix page by using the "Thumbs Up" or "Thumbs Down" buttons on the top right.

A pop-up screen will open that allows you to rate the fix and specify the reason why you provided the rating. A comment box is also available for you to provide more details.

You also have the ability to "Archive Fix". Archived fixes will be relocated to the bottom of the Fix Report, and will be excluded from the Dashboard.

I’m not receiving the automated emails from Mobb (confirmation emails or organization invitations). Which email addresses do I need to whitelist?

When you sign up or when your administrator invites you to join Mobb, we send a confirmation or invitation email. If you're not seeing these in your inbox, please contact us at [email protected]. These automated emails are generally sent from one of the following addresses:

• [email protected]

• [email protected]

Adding these to your email whitelist should help ensure you receive our messages.

Do we need a Data Processing Agreement (DPA) with Mobb?

No, a DPA is not required because Mobb does not process, store, or access any personal data on behalf of our customers. Our solution analyzes static code and security findings without handling any user, or production data. Since we do not act as a data processor under GDPR or similar regulations, a DPA is unnecessary.

After I click "Create a Pull Request", how do I know when it's ready?

Once you click "Create a Pull Request" after reviewing a fix, Mobb will begin creating the PR in the background. You’re free to navigate away from the page—there’s no need to wait.

The PR status will be displayed at the top of the screen:

• In progress: The PR is still being created.\

  
• Completed: The PR has been successfully created, and a direct link to the PR will be shown.