Frequently Asked Questions (FAQ)

Is Mobb free for open-source projects?

Yes, Mobb is completely free for open-source projects and always will be. Mobb is committed to supporting open-source maintainers.

How does Mobb test its fixes?

At Mobb, our testing process is rigorous. We leverage a dataset with nearly 2,000 open-source projects, along with a substantial collection of synthetic code samples, to research and validate our deterministic fixes. We continuously verify the accuracy of our fixes, with close to 3,500 unique tests (and growing) automatically run on each code change. As we grow our fix coverage, for any new issue type or supported pattern that is being added, so does the number of unique tests grows.

This extensive dataset provides our researchers with a broad range of vulnerable patterns reported by SAST tools in real-world applications. When a new fix is developed, it undergoes thorough testing to ensure accuracy, adherence to the syntax and format of the original code, and consistency across variations of the same vulnerability pattern. We also verify that our fixes are free from hallucinations and are recognized by the SAST tools, ensuring reliable and consistent remediation.

Do you have more information on the backend AI technology being used?

We leverage GenAI models hosted on AWS. Our platform uses a variety of models, and we constantly evaluate new models to ensure we always use the best model for a given task and, when needed, use different models for different tasks. We also have a strict policy around our use of GenAI; see page for more detail.

Does you copy and store the SAST report and code in your own database?

No. None of the uploaded artifacts (report or code) is being stored in our DB. It is only cached for a duration of 2-weeks to allow the developers to interact with it when needed and then purged from our environment.

Is the Mobb platform a SaaS product only?

Yes.

Is the Mobb platform a multi-tenant solution?

Both single-tenant and multi-tenant options are available.

Where is the Mobb platform hosted?

Amazon Web Services (AWS)

What audits and assurances are being conducted on the Mobb platform?

We are SOC2 Type 2 compliant audited by EY. Mobb was built with a security first mindset from the early days and started working on it even before we had a product. We received our first certification when we were still in our beta stage.

How does Mobb deal with False Positive SAST findings?

We designed Mobb to address all supported issues, irrespective of their exploitability level. For example, in the case of an injection-style vulnerability, if the user input isn't directly processed in a particular code segment and is erroneously flagged by SAST, it remains uncertain whether this vulnerable code might be copied or invoked from another section of the application later on, rendering it vulnerable. Our approach is to resolve the issue regardless. This ensures compliance with the SAST scanner, thereby benefiting both development and security teams.

How is Mobb licensed?

Mobb uses contributing developers as the licensing unit.

How does Mobb define contributing developers?

Mobb defines contributing developers as developers who, in the last 90 days, committed code to a repo Mobb is used to fix issues in.

How do I find out which fixes were previously committed?

From the Report page:

From the Fix page:

How do I find out the total number of fixes available compared to the total number of findings in the original SAST report?

On the Fix Report page, hover over the (!) icon next to the text "Available Fixes" to see the number of issues fixed compared to the number of issues in the original SAST report.

Mobb uses a different naming convention for the issue name compared to the ones used by my SAST provider. How do I see the original issue name?

Mobb currently standardizes the issue names in the user interface, as different SAST providers have different names for the same issue type (e.g., Path Traversal vs. Path Manipulation). If you wish to see the original name as provided by your SAST provider, simply hover over the issue name in the Fix Report page, and a tooltip will appear that shows the original issue name.

How can I tell if a new fix is available?

When an existing fix is improved, the Mobb app indicates this status and offers to rerun the analysis with one click. After the rerun, the app indicates which fixes are "fresh," meaning they are new compared to the previous run.

How do I provide feedback to the Mobb team on a specific fix?

If you wish to provide feedback on a specific fix, you can do so on the Fix page by using the "Thumbs Up" or "Thumbs Down" buttons on the top right.

A pop-up screen will open that allows you to rate the fix and specify the reason why you provided the rating. A comment box is also available for you to provide more details.

I’m not receiving the automated emails from Mobb (confirmation emails or organization invitations). Which email addresses do I need to whitelist?

• postmaster@mail.mobb.ai

• app@mail.mobb.ai

Adding these to your email whitelist should help ensure you receive our messages.

Do we need a Data Processing Agreement (DPA) with Mobb?

No, a DPA is not required because Mobb does not process, store, or access any personal data on behalf of our customers. Our solution analyzes static code and security findings without handling any user, or production data. Since we do not act as a data processor under GDPR or similar regulations, a DPA is unnecessary.

After I click "Create a Pull Request", how do I know when it's ready?

Once you click "Create a Pull Request" after reviewing a fix, Mobb will begin creating the PR in the background. You’re free to navigate away from the page—there’s no need to wait.

The PR status will be displayed at the top of the screen:

• In progress: The PR is still being created.
• Completed: The PR has been successfully created, and a direct link to the PR will be shown.