Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Convert-to-SARIF Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
    • Harness
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • Single Sign-On (SSO)
      • Connecting Okta to Mobb
      • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page

Was this helpful?

Supported Fixes

A "fix" is defined as a code remediation that has been validated and tested by Mobb engineers.

All fixes must meet the following criteria:

  • The fix addresses the security issue as identified by the SAST tool

  • The fix should be recognized by the SAST tool (The SAST tool should recognize the finding as fixed upon re-scan)

Here are the categories of fixes that Mobb currently supports. If there is a category you'd like to see Mobb support that is not listed here, please email us at support@mobb.ai.

If you'd like us to support a SAST tool that is not listed here, please tell us by submitting it here.

Since different SAST vendors often name issues differently, the issue names in parentheses are the Mobb normalized names.

List of Supported Issue Types for Snyk

C#

  • Anti-forgery token validation disabled

  • Arbitrary File Write via Archive Extraction (Zip Slip)

  • Log Forging

  • Path Traversal

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • Sensitive Cookie Without 'HttpOnly' Flag

  • Server-Side Request Forgery (SSRF)

  • SQL Injection

  • Use of Insufficiently Random Values

  • XML External Entity (XXE) Injection

GO

  • Clear Text Logging

  • Improper Certificate Validation

  • Insecurely Generated Password

Java

  • Arbitrary File Write via Archive Extraction (Zip Slip)

  • Command Injection

  • Cross-site Scripting (XSS)

  • Improper Neutralization of CRLF Sequences in HTTP Headers

  • Open Redirect

  • Path Traversal

  • Regular expression injection

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • Sensitive Cookie Without 'HttpOnly' Flag

  • Server-Side Request Forgery (SSRF)

  • SQL Injection

  • Trust Boundary Violation

  • XML External Entity (XXE) Injection

JavaScript / TypeScript

  • Allocation of Resources Without Limits or Throttling

  • Command Injection

  • Cross-site Scripting (XSS)

  • Denial of Service (DoS) through Nested GraphQL Queries

  • Indirect Command Injection via User Controlled Environment

  • NoSQL Injection

  • Open Redirect

  • Path Traversal

  • Privacy Leak

  • Prototype Pollution

  • Regular Expression Denial of Service (ReDoS)

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • Server-Side Request Forgery (SSRF)

  • SQL Injection

PHP

  • Hardcoded Credential

  • Hardcoded Credential Test

  • Hardcoded Non Crypto Secret

  • Hardcoded Password

  • Hardcoded Password Test

Python

  • Arbitrary File Write via Archive Extraction (Tar Slip)

  • Command Injection

  • Cross Site Scripting (XSS)

  • Debug Mode Enabled

  • Incomplete URL sanitization

  • Jinja auto-escape is set to false

  • Path Traversal

  • Regular Expression Denial of Service (ReDoS)

  • SQL Injection

List of Supported Issue Types for Fortify

C#

  • ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation

  • Cookie Security: HTTPOnly not Set on Application Cookie

  • Cookie Security: Session Cookie not Sent Over SSL

  • Header Manipulation

  • Insecure Randomness

  • Insecure Randomness: Hardcoded Seed

  • Log Forging

  • Mass Assignment: Insecure Binder Configuration

  • Null Dereference

  • Object Model Violation: Just One of Equals() and GetHashCode() Defined

  • Password Management: Password in Comment

  • Path Manipulation

  • Path Manipulation: Base Path Overwriting

  • Path Manipulation: Zip Entry Overwrite

  • Poor Error Handling: Overly Broad Catch

  • Poor Logging Practice: Use of a System Output Stream

  • SQL Injection

  • System Information Leak

  • System Information Leak: Internal

  • Trust Boundary Violation

  • XML Entity Expansion Injection

  • XML External Entity Injection

GO

  • Log Forging

Java

  • Code Correctness: Class Does Not Implement Equivalence Method

  • Code Correctness: Comparison of Boxed Primitive Types

  • Code Correctness: Erroneous String Compare

  • Command Injection

  • Cookie Security: Cookie not Sent Over SSL

  • Cookie Security: HTTPOnly not Set

  • Cross-Site Scripting: Reflected

  • Denial of Service: Regular Expression

  • Denial of Service: StringBuilder

  • Insecure Randomness

  • J2EE Bad Practices: Leftover Debug Code

  • J2EE Bad Practices: Threads

  • Log Forging

  • Log Forging (debug)

  • Missing Check against Null

  • Null Dereference

  • Open Redirect

  • Password Management: Password in Comment

  • Path Manipulation

  • Path Manipulation: Zip Entry Overwrite

  • Poor Error Handling: Empty Catch Block

  • Poor Error Handling: Overly Broad Catch

  • Poor Logging Practice: Use of a System Output Stream

  • Poor Style: Confusing Naming

  • Poor Style: Non-final Public Static Field

  • Poor Style: Value Never Read

  • Portability Flaw: Locale Dependent Comparison

  • Privacy Violation

  • Race Condition: Format Flaw

  • Server-Side Request Forgery

  • SQL Injection

  • System Information Leak

  • System Information Leak: HTML Comment in JSP

  • System Information Leak: Internal

  • Trust Boundary Violation

  • Unreleased Resource: Database

  • Unreleased Resource: Files

  • Unreleased Resource: Sockets

  • Unreleased Resource: Streams

  • Unreleased Resource: Synchronization

  • Unreleased Resource: Unmanaged Object

  • Weak Cryptographic Hash

  • XML Entity Expansion Injection

  • XML External Entity Injection

JavaScript / TypeScript

  • Command Injection

  • Cookie Security: Cookie not Sent Over SSL

  • Cross-Site Scripting: DOM

  • Cross-Site Scripting: Self

  • Hardcoded Domain in HTML

  • Insecure Randomness

  • Insecure Randomness: Hardcoded Seed

  • Open Redirect

  • Password Management: Password in Comment

  • Path Manipulation

  • Privacy Violation: Autocomplete

  • System Information Leak: External

  • System Information Leak: Internal

PHP

  • Insecure Randomness

  • Key Management: Hardcoded Encryption Key

  • Password Management: Hardcoded Password

  • Weak Cryptographic Hash: Hardcoded Salt

Python

  • Cross-Site Request Forgery

  • Password Management: Password in Comment

  • Path Manipulation

  • SQL Injection

  • System Information Leak: Internal

  • Weak Cryptographic Hash

XML

  • Password Management: Password in Comment

  • Weak XML Schema: Unbounded Occurrences

YAML

  • Password Management: Hardcoded Password

List of Supported Issue Types for Checkmarx

C#

  • Declaration Of Catch For Generic Exception

  • Deserialization of Untrusted Data

  • Heap Inspection

  • HttpOnlyCookies

  • Improper Exception Handling

  • Improper Resource Shutdown or Release

  • Improper Restriction of XXE Ref

  • Information Exposure Through an Error Message

  • Information Exposure via Headers

  • Insecure Cookie

  • Insufficient Logging of Exceptions

  • Insufficient Logging of Sensitive Operations

  • Just One of Equals and Hash code Defined

  • Log Forging

  • Missing HSTS Header

  • Path Traversal

  • Reflected XSS All Clients

  • SQL Injection

  • SSRF

  • Stored XSS

  • Trust Boundary Violation in Session Variables

  • Unsafe Object Binding

  • Unvalidated Arguments Of Public Methods

  • Use of Insufficiently Random Values

  • Value Shadowing

GO

  • Log Forging

  • Privacy Violation

  • SSL Verification Bypass

  • Use of Cryptographically Weak PRNG

Java

  • Absolute Path Traversal

  • Command Injection

  • Confusing Naming

  • Declaration Of Catch For Generic Exception

  • Detection of Error Condition Without Action

  • Frameable loging page

  • HttpOnlyCookies

  • Improper Resource Shutdown or Release

  • Improper Restriction of Stored XXE Ref

  • Improper Restriction of XXE Ref

  • Information Exposure Through an Error Message

  • Log Forging

  • Open Redirect

  • Password In Comment

  • Portability Flaw Locale Dependent Comparison

  • Privacy Violation

  • Race Condition Format Flaw

  • ReDoS From Regex Injection

  • Reflected XSS All Clients

  • Relative Path Traversal

  • Reversible One Way Hash

  • SQL Injection

  • SQL Injection Evasion Attack

  • SSRF

  • Stored Absolute Path Traversal

  • Stored Log Forging

  • Stored XSS

  • Trust Boundary Violation in Session Variables

  • Unchecked Input for Loop Condition

  • Unsafe Object Binding

  • Use Of Broken Or Risky Cryptographic Algorithm

  • Use of Hard coded Cryptographic Key

  • Use of Non Cryptographic Random

  • Use of Wrong Operator in String Comparison

JavaScript / TypeScript

  • Absolute Path Traversal

  • Client DOM Open Redirect

  • Client DOM Stored Code Injection

  • Client DOM Stored XSS

  • Client DOM XSS

  • Client Hardcoded Domain

  • Client Insecure Randomness

  • Client JQuery Deprecated Symbols

  • Client Password In Comment

  • Client Potential XSS

  • Client Regex Injection

  • Client Use Of Iframe Without Sandbox

  • Client Weak Cryptographic Hash

  • Command Injection

  • Log Forging

  • Missing CSP Header

  • Missing HSTS Header

  • Open Redirect

  • Prototype Pollution

  • Relative Path Traversal

  • Server DoS by loop

  • Server DoS by Loop

  • SQL Injection

  • SSRF

  • Stored XSS

  • Unchecked Input For Loop Condition

  • Unprotected Cookie

  • Unsafe Use Of Target blank

  • Use Of Broken Or Risky Cryptographic Algorithm

  • Use of Deprecated or Obsolete Functions

  • Use of Insufficiently Random Values

PHP

  • Hardcoded Salt

  • Use of Hardcoded Cryptographic IV

  • Use Of Hardcoded Password

  • Use of Non Cryptographic Random

Python

  • Debug Enabled

  • Filtering Sensitive Logs

  • Improper Resource Shutdown or Release

  • Information Exposure Through an Error Message

  • Log Forging

  • Password in Comment

  • Path Traversal

  • Privacy Violation

  • ReDoS Injection

  • Reversible One Way Hash

  • Second Order SQL Injection

  • SQL Injection

  • Unchecked Input for Loop Condition

  • Use Of Broken Or Risky Cryptographic Algorithm

  • XSS

SQL

  • Default Definer Rights in Package or Object Definition

  • Second Order SQL Injection

List of Supported Issue Types for SonarQube

C#

  • Composite format strings should be used correctly

  • Creating cookies without the "HttpOnly" flag is security-sensitive

  • Creating cookies without the "secure" flag is security-sensitive

  • Extracting archives should not lead to zip slip vulnerabilities

  • Fields that are only assigned in the constructor should be "readonly"

  • I/O function calls should not be vulnerable to path injection attacks

  • Logging should not be vulnerable to injection attacks

  • Not specifying a timeout for regular expressions is security-sensitive

  • Null pointers should not be dereferenced

  • Sections of code should not be commented out

  • Secure random number generators should not output predictable values

  • Unassigned members should be removed

  • Unread "private" fields should be removed

  • Unused private types or members should be removed

GO

  • Using pseudorandom number generators (PRNGs) is security-sensitive

Java

  • "Preconditions" and logging arguments should not require evaluation

  • Creating cookies without the "HttpOnly" flag is security-sensitive

  • Creating cookies without the "secure" flag is security-sensitive

  • Database queries should not be vulnerable to injection attacks

  • Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

  • Extracting archives should not lead to zip slip vulnerabilities

  • Format strings should be used correctly

  • Generic exceptions should never be thrown

  • I/O function calls should not be vulnerable to path injection attacks

  • javasecurity:S5146 HTTP request redirections should not be open to forging attacks

  • Logging should not be vulnerable to injection attacks

  • Public constants and fields initialized at declaration should be "static final" rather than merely "final"

  • Regular expressions should not be vulnerable to Denial of Service attacks

  • Sections of code should not be commented out

  • Server-side requests should not be vulnerable to traversing attacks

  • String literals should not be duplicated

  • Strings and Boxed types should be compared using "equals()"

  • Try-catch blocks should not be nested

  • Unnecessary imports should be removed

  • Unused "private" fields should be removed

  • Unused assignments should be removed

  • Unused local variables should be removed

  • Using pseudorandom number generators (PRNGs) is security-sensitive

  • Using weak hashing algorithms is security-sensitive

JavaScript / TypeScript

  • Creating cookies without the "secure" flag is security-sensitive

  • Database queries should not be vulnerable to injection attacks

  • Database queries should not be vulnerable to injection attacks

  • DOM updates should not lead to cross-site scripting (XSS) attacks

  • DOM updates should not lead to cross-site scripting (XSS) attacks

  • DOM updates should not lead to open redirect vulnerabilities

  • DOM updates should not lead to open redirect vulnerabilities

  • Dynamically executing code is security-sensitive

  • Fields that are only assigned in the constructor should be "readonly"

  • Formatting SQL queries is security-sensitive

  • Function returns should not be invariant

  • HTTP request redirections should not be open to forging attacks

  • HTTP request redirections should not be open to forging attacks

  • I/O function calls should not be vulnerable to path injection attacks

  • I/O function calls should not be vulnerable to path injection attacks

  • Jump statements should not occur in "finally" blocks

  • Jump statements should not occur in "finally" blocks

  • NoSQL operations should not be vulnerable to injection attacks

  • NoSQL operations should not be vulnerable to injection attacks

  • Regular expressions should not be vulnerable to Denial of Service attacks

  • Regular expressions should not be vulnerable to Denial of Service attacks

  • Sections of code should not be commented out

  • Sections of code should not be commented out

  • Unnecessary character escapes should be removed

  • Unnecessary character escapes should be removed

  • Using pseudorandom number generators (PRNGs) is security-sensitive

  • Using pseudorandom number generators (PRNGs) is security-sensitive

  • Using remote artifacts without integrity checks is security-sensitive

  • Using slow regular expressions is security-sensitive

  • Using slow regular expressions is security-sensitive

  • Using weak hashing algorithms is security-sensitive

  • Variables should be declared explicitly

  • Variables should be declared with "let" or "const"

  • Variables should be declared with "let" or "const"

PHP

  • Credentials should not be hard-coded

  • Hard-coded credentials are security-sensitive

  • Hard-coded secrets are security-sensitive

  • Using pseudorandom number generators (PRNGs) is security-sensitive

Python

  • "Exception" and "BaseException" should not be raised

  • Database queries should not be vulnerable to injection attacks

  • Delivering code in production with debug features activated is security-sensitive

  • Disabling auto-escaping in template engines is security-sensitive

  • Do not name local variables as builtin python functions

  • Do not use identity comparisons (is / is not) with cached types

  • Formatting SQL queries is security-sensitive

  • Function parameters' default values should not be modified or assigned

  • Logging should not be vulnerable to injection attacks

  • Loop boundaries should not be vulnerable to injection attacks

  • Properly use string formatting: add all arguments to the format string, don't supply unused arguments

  • python:S5443 Using publicly writable directories is security-sensitive

  • python:S5754 "SystemExit" should be re-raised

  • Regular expressions should not be vulnerable to Denial of Service attacks

  • Sections of code should not be commented out

  • String literals should not be duplicated

  • The "print" statement should not be used

  • Unused assignments should be removed

  • Using weak hashing algorithms is security-sensitive

  • Wildcard imports should not be used

YAML

  • Credentials should not be hard-coded

  • Ensure whitespace in-between braces in template directives

List of Supported Issue Types for CodeQL

CPP

  • Use of dangerous function

C#

  • Arbitrary file access during archive extraction (”Zip Slip”)

  • Deserialization of untrusted data

  • Insecure randomness

  • Log entries created from user input

  • Uncontrolled data used in path expression

GO

  • Clear-text logging of sensitive information

  • Disabled TLS certificate check

  • Incomplete regular expression for hostnames

  • Log entries created from user input

Java

  • Arbitrary file access during archive extraction (”Zip Slip”)

  • Cross-site scripting

  • Executing a command with a relative path

  • Failure to use secure cookies

  • HTTP response splitting

  • Log Injection

  • Query built by concatenation with a possibly-untrusted string

  • Query built from user-controlled sources

  • Resolving XML external entity in user-controlled data

  • Server-side request forgery

  • Uncontrolled command line

  • Uncontrolled data used in path expression

  • Use of a broken or risky cryptographic algorithm

  • Use of a potentially broken or risky cryptographic algorithm

  • Use of a potentially broken or risky cryptographic algorithm

JavaScript / TypeScript

  • Clear text transmission of sensitive cookie

  • Client-side cross-site scripting

  • Client-side URL redirect

  • Database query built from user-controlled sources

  • Inclusion of functionality from an untrusted source

  • Incomplete regular expression for hostnames

  • Incomplete URL scheme check

  • Incomplete URL substring sanitization

  • Inefficient regular expression

  • Insecure randomness

  • Insecure randomness

  • Log injection

  • Missing rate limiting

  • Overly permissive regular expression range

  • Prototype-polluting assignment

  • Prototype-polluting function

  • Reflected cross-site scripting

  • Regular expression injection

  • Server-side request forgery

  • Server-side URL redirect

  • Type confusion through parameter tampering

  • Uncontrolled data used in path expression

  • Use of a broken or weak cryptographic algorithm

  • Useless regular-expression character escape

Python

  • Arbitrary file write during tarfile extraction

  • Flask app is run in debug mode

  • Incomplete URL substring sanitization

  • Information exposure through an exception

  • Jinja2 templating with autoescape=False

  • Log Injection

  • Overly permissive regular expression range

  • Regular expression injection

  • SQL query built from user-controlled sources

  • Uncontrolled data used in path expression

  • Use of a broken or weak cryptographic algorithm

  • Use of a broken or weak cryptographic hashing algorithm on sensitive data

  • XSS

List of Supported Issue Types for Semgrep/Opengrep

GO

  • Cookie Missing HTTP only

  • go.lang.security.audit.dangerous-exec-command.dangerous-exec-command

  • go.lang.security.injection.open-redirect.open-redirect

  • gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check

  • insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification

  • lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion

  • lang.security.audit.crypto.use_of_weak_crypto.use-of-md5

  • lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1

  • lang.security.audit.dangerous-exec-command.dangerous-exec-command

  • lang.security.audit.sqli.pgx-sqli.pgx-sqli

  • lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter

Java

  • java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly

  • java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag

  • java.lang.security.audit.crypto.weak-random.weak-random

  • java.servlets.security.cookie-issecure-false.cookie-issecure-false

  • lang.security.audit.crypto.use-of-md5.use-of-md5

  • lang.security.audit.crypto.use-of-sha1.use-of-sha1

  • lang.security.audit.sqli.jdbc-sqli.jdbc-sqli

  • lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request

  • lang.security.audit.unvalidated-redirect.unvalidated-redirect

  • spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect

JavaScript / TypeScript

  • html.security.audit.missing-integrity.missing-integrity

  • javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape

  • javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb

  • javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • lang.security.audit.sqli.node-knex-sqli.node-knex-sqli

  • lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli

  • mobb.security.audit.express-check-cmdi

Python

  • django.security.injection.tainted-sql-string.tainted-sql-string

  • flask.security.injection.tainted-sql-string.tainted-sql-string

  • python.django.security.django-no-csrf-token.django-no-csrf-token

  • python.django.security.injection.open-redirect.open-redirect

  • python.flask.security.audit.debug-enabled.debug-enabled

  • python.lang.security.audit.formatted-sql-query.formatted-sql-query

  • python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli

  • python.lang.security.audit.subprocess-shell-true.subprocess-shell-true

  • python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5

  • python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1

  • python.lang.security.insecure-uuid-version.insecure-uuid-version

  • python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text

  • python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query

  • python.tarfile-extractall-traversal.tarfile-extractall-traversal

YAML

  • yaml.github-actions.security.run-shell-injection.run-shell-injection

List of Supported Issue Types for Datadog

Java

  • Avoid user-input file

  • Avoid using printStackTrace()

  • MD2, MD4, and MD5 are weak hash functions

  • Prefer SecureRandom over Random

  • Prevent path traversal

  • SHA-1 is a weak hash function

JavaScript / TypeScript

  • Avoid setting insecure cookie settings

  • Do not use weak hash functions

Python

  • Avoid SQL injections

  • Do not use an empty list as a default parameter

To learn more about configuring your fix policies in Mobb, click here.

PreviousWhat's New with MobbNextGetting Started

Last updated 5 days ago

Was this helpful?