Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Is Mobb free for open-source projects?
  • How does Mobb test its fixes?
  • Do you have more information on the backend AI technology being used?
  • Does you copy and store the SAST report and code in your own database?
  • Is the Mobb platform a SaaS product only?
  • Is the Mobb platform a multi-tenant solution?
  • Where is the Mobb platform hosted?
  • What audits and assurances are being conducted on the Mobb platform?
  • How does Mobb deal with False Positive SAST findings?
  • How is Mobb licensed?
  • How does Mobb define contributing developers?
  • How do I find out which fixes were previously committed?
  • How do I find out the total number of fixes available compared to the total number of findings in the original SAST report?
  • Mobb uses a different naming convention for the issue name compared to the ones used by my SAST provider. How do I see the original issue name?
  • How can I tell if a new fix is available?
  • How do I provide feedback to the Mobb team on a specific fix?
  • I’m not receiving the automated emails from Mobb (confirmation emails or organization invitations). Which email addresses do I need to whitelist?
  • Do we need a Data Processing Agreement (DPA) with Mobb?
  • After I click "Create a Pull Request", how do I know when it's ready?

Was this helpful?

  1. More Info

Frequently Asked Questions (FAQ)

PreviousProviding Fix FeedbackNextData Protection and Retention

Last updated 3 days ago

Was this helpful?

Is Mobb free for open-source projects?

Yes, Mobb is completely free for open-source projects and always will be. Mobb is committed to supporting open-source maintainers.

How does Mobb test its fixes?

At Mobb, our testing process is rigorous. We leverage a dataset with nearly 2,000 open-source projects, along with a substantial collection of synthetic code samples, to research and validate our deterministic fixes. We continuously verify the accuracy of our fixes, with close to 3,500 unique tests (and growing) automatically run on each code change. As we grow our fix coverage, for any new issue type or supported pattern that is being added, so does the number of unique tests grows.

This extensive dataset provides our researchers with a broad range of vulnerable patterns reported by SAST tools in real-world applications. When a new fix is developed, it undergoes thorough testing to ensure accuracy, adherence to the syntax and format of the original code, and consistency across variations of the same vulnerability pattern. We also verify that our fixes are free from hallucinations and are recognized by the SAST tools, ensuring reliable and consistent remediation.

Do you have more information on the backend AI technology being used?

We leverage GenAI models hosted on AWS. Our platform uses a variety of models, and we constantly evaluate new models to ensure we always use the best model for a given task and, when needed, use different models for different tasks. We also have a strict policy around our use of GenAI; see page for more detail.

Does you copy and store the SAST report and code in your own database?

No. None of the uploaded artifacts (report or code) is being stored in our DB. It is only cached for a duration of 2-weeks to allow the developers to interact with it when needed and then purged from our environment.

Is the Mobb platform a SaaS product only?

Yes.

Is the Mobb platform a multi-tenant solution?

Both single-tenant and multi-tenant options are available.

Where is the Mobb platform hosted?

Amazon Web Services (AWS)

What audits and assurances are being conducted on the Mobb platform?

We are SOC2 Type 2 compliant audited by EY. Mobb was built with a security first mindset from the early days and started working on it even before we had a product. We received our first certification when we were still in our beta stage.

How does Mobb deal with False Positive SAST findings?

We designed Mobb to address all supported issues, irrespective of their exploitability level. For example, in the case of an injection-style vulnerability, if the user input isn't directly processed in a particular code segment and is erroneously flagged by SAST, it remains uncertain whether this vulnerable code might be copied or invoked from another section of the application later on, rendering it vulnerable. Our approach is to resolve the issue regardless. This ensures compliance with the SAST scanner, thereby benefiting both development and security teams.

How is Mobb licensed?

Mobb uses contributing developers as the licensing unit.

How does Mobb define contributing developers?

Mobb defines contributing developers as developers who, in the last 90 days, committed code to a repo Mobb is used to fix issues in.

How do I find out which fixes were previously committed?

From the Report page:

From the Fix page:

How do I find out the total number of fixes available compared to the total number of findings in the original SAST report?

On the Fix Report page, hover over the (!) icon next to the text "Available Fixes" to see the number of issues fixed compared to the number of issues in the original SAST report.

Mobb uses a different naming convention for the issue name compared to the ones used by my SAST provider. How do I see the original issue name?

Mobb currently standardizes the issue names in the user interface, as different SAST providers have different names for the same issue type (e.g., Path Traversal vs. Path Manipulation). If you wish to see the original name as provided by your SAST provider, simply hover over the issue name in the Fix Report page, and a tooltip will appear that shows the original issue name.

How can I tell if a new fix is available?

When an existing fix is improved, the Mobb app indicates this status and offers to rerun the analysis with one click. After the rerun, the app indicates which fixes are "fresh," meaning they are new compared to the previous run.

How do I provide feedback to the Mobb team on a specific fix?

If you wish to provide feedback on a specific fix, you can do so on the Fix page by using the "Thumbs Up" or "Thumbs Down" buttons on the top right.

A pop-up screen will open that allows you to rate the fix and specify the reason why you provided the rating. A comment box is also available for you to provide more details.

I’m not receiving the automated emails from Mobb (confirmation emails or organization invitations). Which email addresses do I need to whitelist?

  • postmaster@mail.mobb.ai

  • app@mail.mobb.ai

Adding these to your email whitelist should help ensure you receive our messages.

Do we need a Data Processing Agreement (DPA) with Mobb?

No, a DPA is not required because Mobb does not process, store, or access any personal data on behalf of our customers. Our solution analyzes static code and security findings without handling any user, or production data. Since we do not act as a data processor under GDPR or similar regulations, a DPA is unnecessary.

After I click "Create a Pull Request", how do I know when it's ready?

Once you click "Create a Pull Request" after reviewing a fix, Mobb will begin creating the PR in the background. You’re free to navigate away from the page—there’s no need to wait.

The PR status will be displayed at the top of the screen:

  • In progress: The PR is still being created.

  • Completed: The PR has been successfully created, and a direct link to the PR will be shown.

Mobb retains a record of all previous commits and provides a link to the commit in both the report page as well as the fix page. Simply look for the commit icon:

You also have the ability to "Archive Fix". Archived fixes will be relocated to the bottom of the Fix Report, and will be excluded from the .

When you sign up or when your administrator invites you to join Mobb, we send a confirmation or invitation email. If you're not seeing these in your inbox, please contact us at . These automated emails are generally sent from one of the following addresses:

Dashboard
support@mobb.ai
Data Protection and Retention