Supported FP Rules
A "false positive rule" is defined as a rule that reliably identifies incorrect SAST findings, basically alerts on code that is not actually vulnerable.
All FP rules meet the following criteria:
High confidence that the finding is a false positive
Tested against real-world code samples to avoid suppressing true positives
Clear explanation is provided for why the finding is considered a false positive
Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at [email protected].
Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb.
List of Supported Issue Types for Snyk
C#
Cross-site Scripting (XSS)
GO
Hardcoded Non Crypto Secret
Hardcoded Non CryptoSecret Test
Hardcoded Password
Hardcoded Password Test
Hardcoded Secret Test
No Hardcoded Credentials
No Hardcoded Credentials Test
Java
No Hardcoded Credentials
NoHardcoded Credentials Test
JavaScript / TypeScript
PHP
Hardcoded Credential
Hardcoded Credential Test
Hardcoded Non Crypto Secret
Hardcoded Password
Hardcoded Password Test
Python
Cross Site Scripting (XSS)
Hardcoded Iv
Hardcoded Key
HardcodedNonCryptoSecret
HardcodedNonCryptoSecret/test
No Hardcoded Credentials Test
No Hardcoded Passwords Test
NoHardcodedCredentials
NoHardcodedPasswords
List of Supported Issue Types for Fortify
CPP
C#
Cross-Site Scripting: Persistent
DEFAULT
GO
Java
JavaScript / TypeScript
PHP
Python
YAML
List of Supported Issue Types for Checkmarx
C#
Hardcoded Credentials
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Log Forging
Path Traversal
Reflected XSS
Reflected XSS All Clients
Stored XSS
Use Of Hardcoded Password
GO
Hardcoded AWS Credentials
Hardcoded Password in Connection String
Log Forging
Use of Hardcoded Password
Java
Absolute Path Traversal
Improper Restriction of Stored XXE Ref
Improper Restriction of XXE Ref
Information Exposure Through an Error Message
Relative Path Traversal
SSRF
Stored Absolute Path Traversal
Unchecked Input for Loop Condition
JavaScript / TypeScript
Client DOM Stored XSS
Client DOM XSS
Client Potential XSS
Client Regex Injection
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Secret_Leak
SQL Injection
Stored XSS
Use Of Hardcoded Password
PHP
Hardcoded Salt
Use of Hardcoded Cryptographic IV
Use Of Hardcoded Password
Python
Hardcoded AWS Credentials
Hardcoded Password in Connection String
Reversible One Way Hash
Use of Hardcoded Cryptographic Key
Use Of Hardcoded Password
List of Supported Issue Types for CodeQL
CPP
C#
GO
Hardcoded Credentials
Java
JavaScript / TypeScript
Python
List of Supported Issue Types for Semgrep/Opengrep
C#
DEFAULT
DOCKERFILE
GO
Java
java/mobb.pt_find_transitives
JavaScript / TypeScript
Python
SQL
Last updated
Was this helpful?