Sign up for free

Supported Fixes

A "fix" is defined as a code remediation that has been validated and tested by Mobb engineers.

For a fix to be considered stable, it must meet the following criteria:

  • The fix addresses the security issue as identified by the SAST tool

  • The fix should be recognized by the SAST tool (The SAST tool should recognize the finding as fixed upon re-scan)

This is different than an "experimental fix" which may require further validations and testing to ensure their accuracy.

Here are the categories of stable fixes that Mobb currently supports. If there is a category that you'd like to see Mobb support that is not listed here, please send us an email at support@mobb.ai.

If you'd like us to support a SAST tool that is not listed here, please tell us by submitting it here.

Since different SAST vendors often name issues differently, the issue names in parentheses are the Mobb normalized names.

List of Supported Issue Types for Snyk

Java

  • Path Traversal

  • XSS

  • XXE

  • Command Injection

  • SQL Injection

  • Server-Side Request Forgery

  • HTTP Response Splitting

  • Cookie is not HttpOnly

  • Insecure Cookie

  • Trust Boundary Violations

  • Regex Injection

JavaScript

  • SQL Injection

  • Server-Side Request Forgery

  • Regex Injection

  • XSS

  • Open Redirect

  • GraphQL Depth Limit

  • External System Information Leak

  • Path Traversal

  • Hardcoded Secrets

  • Command Injection

C#

  • XXE

  • Server-Side Request Forgery

  • Path Traversal

  • SQL Injection

  • Log Forging

  • Missing Anti-forgery Validation

  • Cookie is not HttpOnly

  • Insecure Cookie

List of Supported Issue Types for Checkmarx

Java

  • Path Traversal

  • XSS

  • XXE

  • Command Injection

  • SQL Injection

  • Server-Side Request Forgery

  • Log Forging

  • Cookie is not HttpOnly

  • System Information Leak

  • Unchecked Loop Condition

  • Trust Boundary Violations

  • Regex Injection

  • Error Condition Without Action

  • Locale Dependent Comparison

  • Race Condition Format Flaw

  • Overly Broad Catch

JavaScript

  • SQL Injection

  • Insecure Randomness

  • Log Forging

  • XSS

  • Open Redirect

  • Password in Comment

  • Unsafe Target Blank

  • Missing iframe Sandbox

  • jQuery Deprecated Symbols

  • Path Traversal

  • Deprecated Function

  • Hardcoded Secrets

  • Command Injection

  • Prototype Pollution

  • Missing HSTS Header

  • Server-Side Request Forgery

C#

  • Server-Side Request Forgery

  • Log Forging

  • XXE

  • SQL Injection

  • Path Traversal

  • Unsafe deserialization

  • Improper Resource Shutdown or Release

  • Improper Exception Handling

  • Trust Boundary Violations

  • Insecure Cookie

SQL

  • Default Definer Rights in Package or Object Definition

List of Supported Issue Types for Fortify

Java

  • SQL Injection

  • XML Entity Expansion Injection (XXE)

  • XML External Entity Injection (XXE)

  • Cross-Site Scripting: Reflected (XSS)

  • Path Manipulation (Path Traversal)

  • Path Manipulation: Zip Entry Overwrite (Path Traversal)

  • Missing Check against Null

  • Log Forging

  • Password Management: Password in Comment (Password in Comment)

  • Poor Error Handling: Overly Broad Catch (Overly Broad Catch)

  • Poor Logging Practice: Use of a System Output Stream (Use of System.out/System.err)

  • Denial of Service: StringBuilder

  • System Information Leak

  • Command Injection

  • Server-Side Request Forgery

  • Cookie Security: HTTPOnly not Set (Cookie is not HttpOnly)

  • Cookie Security: Cookie not Sent Over SSL (Insecure Cookie)

  • Trust Boundary Violation

  • Denial of Service: Regular Expression (Regex Injection)

  • System Information Leak: HTML Comment in JSP (HTML Comment in JSP)

  • Portability Flaw: Locale Dependent Comparison (Locale Dependent Comparison)

  • Race Condition: Format Flaw (Race Condition Format Flaw)

  • Poor Style: Non-final Public Static Field (Non-final Public Static Field)

  • Dead Code: Unused Field

JavaScript

  • Command Injection

  • Insecure Randomness

  • Password Management: Password in Comment (Password in Comment)

  • System Information Leak

  • System Information Leak: External (External System Information Leak)

  • Path Manipulation (Path Traversal)

  • Path Manipulation: Zip Entry Overwrite (Path Traversal)

  • Password Management: Hardcoded Password (Hardcoded Secrets)

C#

  • XML Entity Expansion Injection (XXE)

  • Password Management: Password in Comment (Password in Comment)

  • Poor Logging Practice: Use of a System Output Stream (Use of System.out/System.err)

  • Path Manipulation (Path Traversal)

  • System Information Leak

  • SQL Injection

  • Log Forging

  • Mass Assignment: Insecure Binder Configuration (Insecure Binder Configuration)

  • Poor Error Handling: Overly Broad Catch (Overly Broad Catch)

  • ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation (Missing Anti-forgery Validation)

  • Null Dereference

  • Header Manipulation

XML

  • Weak XML Schema: Unbounded Occurrences

  • Password Management: Password in Comment (Password in Comment)

List of Supported Issue Types for CodeQL

Java

  • Path Traversal

  • XSS

  • XXE

  • Command Injection

  • SQL Injection

  • Relative Path Command Injection

  • Server-Side Request Forgery

  • Log Forging

  • HTTP Response Splitting

  • Insecure Cookie

JavaScript

  • SQL Injection

  • Insecure Randomness

  • Server-Side Request Forgery

  • Type Confusion

  • Regex Injection

  • Incomplete URL Sanitization

  • Log Forging

  • XSS

  • Path Traversal

  • Open Redirect

C#

  • Log Forging

  • XXE

  • Path Traversal

  • Unsafe deserialization

C++

  • Use of dangerous function

To learn more about configuring your fix policies in Mobb, click here.

PreviousFrequently Asked Questions (FAQ)NextData Protection and Retention

Last updated