Supported FP Rules

A "false positive rule" is defined as a rule that reliably identifies incorrect SAST findings, basically alerts on code that is not actually vulnerable.

All FP rules meet the following criteria:

High confidence that the finding is a false positive
Tested against real-world code samples to avoid suppressing true positives
Clear explanation is provided for why the finding is considered a false positive

Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at [email protected].

Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb.

List of Supported Issue Types for Snyk

Hardcoded Non Crypto Secret
Hardcoded Non CryptoSecret Test
Hardcoded Password
Hardcoded Password Test
Hardcoded Secret Test
No Hardcoded Credentials
No Hardcoded Credentials Test

Java

Arbitrary File Write via Archive Extraction (Zip Slip)
No Hardcoded Credentials
NoHardcoded Credentials Test
Open Redirect
Path Traversal
Server-Side Request Forgery (SSRF)
XML External Entity (XXE) Injection

JavaScript / TypeScript

PHP

Hardcoded Credential
Hardcoded Credential Test
Hardcoded Non Crypto Secret
Hardcoded Password
Hardcoded Password Test

Python

Arbitrary File Write via Archive Extraction (Tar Slip)
Command Injection
Hardcoded Iv
Hardcoded Key
HardcodedNonCryptoSecret
HardcodedNonCryptoSecret/test
No Hardcoded Credentials Ttest
No Hardcoded Passwords Test
NoHardcodedCredentials
NoHardcodedPasswords
SQL Injection

List of Supported Issue Types for Fortify

DEFAULT

Password Management: Weak Cryptography

Java

JavaScript / TypeScript

PHP

Python

YAML

Password Management: Hardcoded Password

List of Supported Issue Types for Checkmarx

Hardcoded Credentials
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Log Forging
Use Of Hardcoded Password

Hardcoded AWS Credentials
Hardcoded Password in Connection String
Log Forging
Use of Hardcoded Password

Java

Absolute Path Traversal
Improper Restriction of Stored XXE Ref
Improper Restriction of XXE Ref
Information Exposure Through an Error Message
Open Redirect
Password In Comment
Relative Path Traversal
Reversible One Way Hash
SSRF
Stored Absolute Path Traversal
Unchecked Input for Loop Condition
Unsafe Object Binding
Use Of Broken Or Risky Cryptographic Algorithm

JavaScript / TypeScript

Client Weak Cryptographic Hash
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Secret_Leak
SQL Injection
Use Of Broken Or Risky Cryptographic Algorithm
Use Of Hardcoded Password

PHP

Hardcoded Salt
Use of Hardcoded Cryptographic IV
Use Of Hardcoded Password

Python

Hardcoded AWS Credentials
Hardcoded Password in Connection String
Hardcoded Secrets
Log Forging
Reversible One Way Hash
Second Order SQL Injection
SQL Injection
Unchecked Input for Loop Condition
Use Of Broken Or Risky Cryptographic Algorithm
Use of Hardcoded Cryptographic Key
Use Of Hardcoded Password

List of Supported Issue Types for SonarQube

DEFAULT

[Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/go:S2068 Hard-coded credentials are security-sensitive)

Java

JavaScript / TypeScript

PHP

Python

YAML

Credentials should not be hard-coded

List of Supported Issue Types for CodeQL

Log entries created from user input

Hardcoded Credentials
Log entries created from user input

Java

JavaScript / TypeScript

Python

List of Supported Issue Types for Semgrep/Opengrep

DEFAULT

Java

JavaScript / TypeScript

Python

SQL

List of Supported Issue Types for Datadog

Java

JavaScript / TypeScript

Do not use weak hash functions

Python

PreviousSupported Fixes NextGetting Started

Last updated 3 days ago

Was this helpful?