How does Mobb deal with False Positive SAST findings?

We designed Mobb to address all supported issues, irrespective of their exploitability level. For example, in the case of an injection-style vulnerability, if the user input isn't directly processed in a particular code segment and is erroneously flagged by SAST, it remains uncertain whether this vulnerable code might be copied or invoked from another section of the application later on, rendering it vulnerable. Our approach is to resolve the issue regardless. This ensures compliance with the SAST scanner, thereby benefiting both development and security teams.

How is Mobb licensed?

Mobb uses contributing developers as the licensing unit.

How does Mobb define contributing developers?

Mobb defines contributing developers as developers who, in the last 90 days, committed code to a repo Mobb is used to fix issues in.

How do I find out which fixes were previously committed?

From the Report page:

From the Fix page:

How do I find out the total number of fixes available compared to the total number of findings in the original SAST report?

On the Fix Report page, hover over the (!) icon next to the text "Available Fixes" to see the number of issues fixed compared to the number of issues in the original SAST report.

Mobb uses a different naming convention for the issue name compared to the ones used by my SAST provider. How do I see the original issue name?

Mobb currently standardizes the issue names in the user interface, as different SAST providers have different names for the same issue type (e.g., Path Traversal vs. Path Manipulation). If you wish to see the original name as provided by your SAST provider, simply hover over the issue name in the Fix Report page, and a tooltip will appear that shows the original issue name.