CtrlK

Start Now Blogs Watch Now Contact Us

Supported FP Rules

A "false positive rule" is defined as a rule that reliably identifies incorrect SAST findings, basically alerts on code that is not actually vulnerable.

All FP rules meet the following criteria:

High confidence that the finding is a false positive
Tested against real-world code samples to avoid suppressing true positives
Clear explanation is provided for why the finding is considered a false positive

Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at [email protected].

Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb.

List of Supported Issue Types for Snyk

C#

GO

Hardcoded Non Crypto Secret
Hardcoded Non CryptoSecret Test
Hardcoded Password
Hardcoded Password Test
Hardcoded Secret Test
No Hardcoded Credentials
No Hardcoded Credentials Test

Java

Arbitrary File Write via Archive Extraction (Zip Slip)
No Hardcoded Credentials
NoHardcoded Credentials Test
Open Redirect
Path Traversal
Server-Side Request Forgery (SSRF)
XML External Entity (XXE) Injection

JavaScript / TypeScript

PHP

Hardcoded Credential
Hardcoded Credential Test
Hardcoded Non Crypto Secret
Hardcoded Password
Hardcoded Password Test

Python

Arbitrary File Write via Archive Extraction (Tar Slip)
Code Injection
Command Injection
Cross Site Scripting (XSS)
Hardcoded Iv
Hardcoded Key
HardcodedNonCryptoSecret
HardcodedNonCryptoSecret/test
Jinja auto-escape is set to false
No Hardcoded Credentials Test
No Hardcoded Passwords Test
NoHardcodedCredentials
NoHardcodedPasswords
SQL Injection

List of Supported Issue Types for Fortify

CPP

C#

Cross-Site Scripting: Persistent
Log Forging
Open Redirect
Password Management: Hardcoded Password
Path Manipulation
Path Manipulation: Base Path Overwriting

DEFAULT

GO

Java

JavaScript / TypeScript

PHP

Python

YAML

Password Management: Hardcoded Password

List of Supported Issue Types for Checkmarx

C#

Hardcoded Credentials
Hardcoded password in Connection String
JWT Use Of Hardcoded Secret
Log Forging
Path Traversal
Reflected XSS
Reflected XSS All Clients
Stored XSS
Use Of Hardcoded Password

GO

Hardcoded AWS Credentials
Hardcoded Password in Connection String
Log Forging
Use of Hardcoded Password

Java

Absolute Path Traversal
Improper Restriction of Stored XXE Ref
Improper Restriction of XXE Ref
Information Exposure Through an Error Message
Open Redirect
Password In Comment
Relative Path Traversal
Reversible One Way Hash
SSRF
Stored Absolute Path Traversal
Unchecked Input for Loop Condition
Unsafe Object Binding
Use Of Broken Or Risky Cryptographic Algorithm

JavaScript / TypeScript

Client DOM Stored XSS
Client DOM XSS
Client Potential XSS
Client Regex Injection
Client Weak Cryptographic Hash
Hardcoded password in Connection String
HttpOnly Cookie Flag Not Set
JWT Use Of Hardcoded Secret
Missing HSTS Header
Secret_Leak
SQL Injection
Stored XSS
Use Of Broken Or Risky Cryptographic Algorithm
Use Of Hardcoded Password

PHP

Hardcoded Salt
Use of Hardcoded Cryptographic IV
Use Of Hardcoded Password

Python

Code Injection
Hardcoded AWS Credentials
Hardcoded Password in Connection String
Hardcoded Secrets
Log Forging
Reversible One Way Hash
Second Order SQL Injection
SQL Injection
Stored Code Injection
Stored Command Argument Injection
Stored Command Argument Injection
Unchecked Input for Loop Condition
Use Of Broken Or Risky Cryptographic Algorithm
Use of Hardcoded Cryptographic Key
Use Of Hardcoded Password
XSS

List of Supported Issue Types for SonarQube

C#

DEFAULT

GO

Hard-coded credentials are security-sensitive

Java

JavaScript / TypeScript

PHP

Python

YAML

Credentials should not be hard-coded

List of Supported Issue Types for CodeQL

CPP

No space for zero terminator

C#

GO

Hardcoded Credentials
Log entries created from user input

Java

JavaScript / TypeScript

Python

List of Supported Issue Types for Semgrep/Opengrep

C#

csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash

DEFAULT

DOCKERFILE

GO

Java

JavaScript / TypeScript

Python

SQL

List of Supported Issue Types for Datadog

Java

JavaScript / TypeScript

Do not use weak hash functions

Python

PreviousSupported Fixes NextGetting Started

Last updated 7 days ago

Was this helpful?