Supported FP Rules

A false positive rule is a rule that Mobb executes against reported SAST findings to reliably identify if the code instances are not actually vulnerable.

All FP rules meet the following criteria:

High confidence that the identified finding is a false positive
Tested against real-world code samples to avoid suppressing true positives
Clear explanation is provided for why the finding is considered a false positive

Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at [email protected].

Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb.

List of Supported Issue Types for Snyk

Command Injection
Cross-site Scripting (XSS)
Hardcoded Non Crypto Secret
Hardcoded Non CryptoSecret Test
Hardcoded Password
Hardcoded Password Test
Hardcoded Secret Test
No Hardcoded Credentials
No Hardcoded Credentials Test
SQL Injection

Java

Arbitrary File Write via Archive Extraction (Zip Slip)
Cross-site Scripting (XSS)
No Hardcoded Credentials
NoHardcoded Credentials Test
Open Redirect
Path Traversal
Server-Side Request Forgery (SSRF)
SQL Injection
XML External Entity (XXE) Injection

JavaScript / TypeScript

PHP

Hardcoded Credential
Hardcoded Credential Test
Hardcoded Non Crypto Secret
Hardcoded Password
Hardcoded Password Test

Python

Arbitrary File Write via Archive Extraction (Tar Slip)
Code Injection
Command Injection
Cross Site Scripting (XSS)
Hardcoded Iv
Hardcoded Key
HardcodedNonCryptoSecret
HardcodedNonCryptoSecret/test
Jinja auto-escape is set to false
No Hardcoded Credentials Test
No Hardcoded Passwords Test
NoHardcodedCredentials
NoHardcodedPasswords
SQL Injection

List of Supported Issue Types for Fortify

CPP

DEFAULT

DOCKERFILE

Java

JavaScript / TypeScript

PHP

Python

XML

Password Management: Password in Comment

YAML

Password Management: Hardcoded Password

List of Supported Issue Types for Checkmarx

Dynamic SQL Queries
Hardcoded Credentials
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Log Forging
Path Traversal
Reflected XSS
Reflected XSS All Clients
SQL Injection
Stored XSS
Use Of Broken Or Risky Cryptographic Algorithm
Use Of Hardcoded Password
Use of Insufficiently Random Values

Command Injection
Hardcoded AWS Credentials
Hardcoded Password in Connection String
Log Forging
Second Order SQL Injection
SQL Injection
Use of Hardcoded Password

Java

Absolute Path Traversal
Improper Restriction of Stored XXE Ref
Improper Restriction of XXE Ref
Information Exposure Through an Error Message
Open Redirect
Password In Comment
Privacy Violation
Reflected XSS All Clients
Relative Path Traversal
Reversible One Way Hash
SQL Injection
SQL Injection Evasion Attack
SSRF
Stored Absolute Path Traversal
Stored XSS
Unchecked Input for Loop Condition
Unsafe Object Binding
Use Of Broken Or Risky Cryptographic Algorithm

JavaScript / TypeScript

Absolute Path Traversal
Client DOM Code Injection
Client DOM Open Redirect
Client DOM Stored XSS
Client DOM XSS
Client Password In Comment
Client Potential XSS
Client Regex Injection
Client Weak Cryptographic Hash
Hardcoded password in Connection String
HttpOnly Cookie Flag Not Set
JWT Use Of Hardcoded Secret
Log Forging
Missing HSTS Header
Open Redirect
Relative Path Traversal
Secret_Leak
SQL Injection
SSRF
Stored XSS
Use Of Broken Or Risky Cryptographic Algorithm
Use Of Hardcoded Password

PHP

Hardcoded Salt
Use of Hardcoded Cryptographic IV
Use Of Hardcoded Password

Python

Code Injection
Command Argument Injection
Hardcoded AWS Credentials
Hardcoded Password in Connection String
Hardcoded Secrets
Log Forging
Password in Comment
Reversible One Way Hash
Second Order SQL Injection
SQL Injection
Stored Code Injection
Stored Command Argument Injection
Stored Command Argument Injection
Unchecked Input for Loop Condition
Use Of Broken Or Risky Cryptographic Algorithm
Use of Hardcoded Cryptographic Key
Use Of Hardcoded Password
XSS

List of Supported Issue Types for SonarQube

DEFAULT

DOCKERFILE

S6471 Running containers as a privileged user is security-sensitive

Constructing arguments of system commands from user input is security-sensitive
Database queries should not be vulnerable to injection attacks
Formatting SQL queries is security-sensitive
Hard-coded credentials are security-sensitive
Using weak hashing algorithms is security-sensitive

Java

JavaScript / TypeScript

PHP

Python

YAML

Credentials should not be hard-coded

List of Supported Issue Types for CodeQL

CPP

No space for zero terminator

Hard-coded Connection String Credentials
Hard-coded credentials
Insecure randomness
Log entries created from user input
SQL Injection
SQL Injection
Uncontrolled data used in path expression

Command Injection
Hardcoded Credentials
Log entries created from user input
SQL Injection

Java

JavaScript / TypeScript

Python

List of Supported Issue Types for Semgrep/Opengrep

DEFAULT

DOCKERFILE

Java

JavaScript / TypeScript

Python

SQL

YAML

List of Supported Issue Types for Datadog

SQL Injection

Java

JavaScript / TypeScript

Do not use weak hash functions
Path traversal
SQL Injection
SQL Injection

Python

Avoid SQL injections
Do not use an empty list as a default parameter
Insecure hash functions
no-exec

PreviousSupported Fixes NextGetting Started

Last updated 15 days ago