Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Convert-to-SARIF Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
    • Harness
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page

Was this helpful?

Supported Fixes

PreviousWhat's New with MobbNextGetting Started

Last updated 23 days ago

Was this helpful?

A "fix" is defined as a code remediation that has been validated and tested by Mobb engineers.

All fixes must meet the following criteria:

  • The fix addresses the security issue as identified by the SAST tool

  • The fix should be recognized by the SAST tool (The SAST tool should recognize the finding as fixed upon re-scan)

Here are the categories of fixes that Mobb currently supports. If there is a category you'd like to see Mobb support that is not listed here, please email us at .

If you'd like us to support a SAST tool that is not listed here, please tell us by submitting it .

Since different SAST vendors often name issues differently, the issue names in parentheses are the Mobb normalized names.

List of Supported Issue Types for Snyk

C#

GO

Java

JavaScript / TypeScript

Python

  • Cross Site Scripting (XSS)

List of Supported Issue Types for Fortify

C#

GO

Java

JavaScript / TypeScript

PHP

Python

XML

List of Supported Issue Types for Checkmarx

C#

  • Declaration Of Catch For Generic Exception

  • Deserialization of Untrusted Data

  • HttpOnlyCookies

  • Improper Exception Handling

  • Improper Resource Shutdown or Release

  • Improper Restriction of XXE Ref

  • Information Exposure Through an Error Message

  • Information Exposure via Headers

  • Insecure Cookie

  • Insufficient Logging of Exceptions

  • Insufficient Logging of Sensitive Operations

  • Just One of Equals and Hash code Defined

  • Log Forging

  • Path Traversal

  • Reflected XSS All Clients

  • SQL Injection

  • SSRF

  • Stored XSS

  • Trust Boundary Violation in Session Variables

  • Unsafe Object Binding

  • Unvalidated Arguments Of Public Methods

  • Use of Insufficiently Random Values

  • Value Shadowing

GO

  • Log Forging

  • Privacy Violation

  • SSL Verification Bypass

  • Use of Cryptographically Weak PRNG

Java

  • Absolute Path Traversal

  • Command Injection

  • Confusing Naming

  • Declaration Of Catch For Generic Exception

  • Detection of Error Condition Without Action

  • Frameable loging page

  • HttpOnlyCookies

  • Improper Resource Shutdown or Release

  • Improper Restriction of Stored XXE Ref

  • Improper Restriction of XXE Ref

  • Information Exposure Through an Error Message

  • Log Forging

  • Portability Flaw Locale Dependent Comparison

  • Privacy Violation

  • Race Condition Format Flaw

  • ReDoS From Regex Injection

  • Reflected XSS All Clients

  • Relative Path Traversal

  • SQL Injection

  • SQL Injection Evasion Attack

  • SSRF

  • Stored Absolute Path Traversal

  • Stored Log Forging

  • Stored XSS

  • Trust Boundary Violation in Session Variables

  • Unchecked Input for Loop Condition

  • Use of Hard coded Cryptographic Key

  • Use of Non Cryptographic Random

  • Use of Wrong Operator in String Comparison

JavaScript / TypeScript

  • Absolute Path Traversal

  • Client DOM Open Redirect

  • Client DOM Stored XSS

  • Client DOM XSS

  • Client Hardcoded Domain

  • Client Insecure Randomness

  • Client JQuery Deprecated Symbols

  • Client Password In Comment

  • Client Potential XSS

  • Client Regex Injection

  • Client Use Of Iframe Without Sandbox

  • Command Injection

  • Log Forging

  • Open Redirect

  • Prototype Pollution

  • Relative Path Traversal

  • Server DoS by loop

  • Server DoS by Loop

  • SQL Injection

  • SSRF

  • Stored XSS

  • Unchecked Input For Loop Condition

  • Unprotected Cookie

  • Unsafe Use Of Target blank

  • Use of Deprecated or Obsolete Functions

  • Use of Insufficiently Random Values

PHP

  • Use of Non Cryptographic Random

Python

  • Reversible One Way Hash

SQL

List of Supported Issue Types for SonarQube

C#

GO

Java

JavaScript / TypeScript

PHP

Python

List of Supported Issue Types for CodeQL

CPP

C#

GO

Java

JavaScript / TypeScript

Python

List of Supported Issue Types for Semgrep/Opengrep

GO

Java

JavaScript / TypeScript

Python

YAML

List of Supported Issue Types for Datadog

Java

JavaScript / TypeScript

Python

To learn more about configuring your fix policies in Mobb, .

support@mobb.ai
here
Anti-forgery token validation disabled
Arbitrary File Write via Archive Extraction (Zip Slip)
Log Forging
Path Traversal
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Sensitive Cookie Without 'HttpOnly' Flag
Server-Side Request Forgery (SSRF)
SQL Injection
Use of Insufficiently Random Values
XML External Entity (XXE) Injection
Clear Text Logging
Improper Certificate Validation
Insecurely Generated Password
Arbitrary File Write via Archive Extraction (Zip Slip)
Command Injection
Cross-site Scripting (XSS)
Improper Neutralization of CRLF Sequences in HTTP Headers
Path Traversal
Regular expression injection
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Sensitive Cookie Without 'HttpOnly' Flag
Server-Side Request Forgery (SSRF)
SQL Injection
Trust Boundary Violation
XML External Entity (XXE) Injection
Allocation of Resources Without Limits or Throttling
Command Injection
Cross-site Scripting (XSS)
Denial of Service (DoS) through Nested GraphQL Queries
Indirect Command Injection via User Controlled Environment
NoSQL Injection
Open Redirect
Path Traversal
Privacy Leak
Prototype Pollution
Regular Expression Denial of Service (ReDoS)
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Server-Side Request Forgery (SSRF)
SQL Injection
Command Injection
Debug Mode Enabled
Incomplete URL sanitization
Jinja auto-escape is set to false
Path Traversal
Regular Expression Denial of Service (ReDoS)
SQL Injection
ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation
Cookie Security: HTTPOnly not Set on Application Cookie
Cookie Security: Session Cookie not Sent Over SSL
Header Manipulation
Insecure Randomness
Insecure Randomness: Hardcoded Seed
Log Forging
Mass Assignment: Insecure Binder Configuration
Null Dereference
Object Model Violation: Just One of Equals() and GetHashCode() Defined
Password Management: Password in Comment
Path Manipulation
Path Manipulation: Base Path Overwriting
Path Manipulation: Zip Entry Overwrite
Poor Error Handling: Overly Broad Catch
Poor Logging Practice: Use of a System Output Stream
SQL Injection
System Information Leak
System Information Leak: Internal
Trust Boundary Violation
XML Entity Expansion Injection
XML External Entity Injection
Log Forging
Code Correctness: Class Does Not Implement Equivalence Method
Code Correctness: Comparison of Boxed Primitive Types
Code Correctness: Erroneous String Compare
Command Injection
Cookie Security: Cookie not Sent Over SSL
Cookie Security: HTTPOnly not Set
Cross-Site Scripting: Reflected
Denial of Service: Regular Expression
Denial of Service: StringBuilder
Insecure Randomness
J2EE Bad Practices: Leftover Debug Code
Log Forging
Log Forging (debug)
Missing Check against Null
Null Dereference
Password Management: Password in Comment
Path Manipulation
Path Manipulation: Zip Entry Overwrite
J2EE Bad Practices: Threads
Poor Error Handling: Empty Catch Block
Poor Error Handling: Overly Broad Catch
Poor Logging Practice: Use of a System Output Stream
Poor Style: Confusing Naming
Poor Style: Non-final Public Static Field
Poor Style: Value Never Read
Portability Flaw: Locale Dependent Comparison
Privacy Violation
Race Condition: Format Flaw
Server-Side Request Forgery
SQL Injection
System Information Leak
System Information Leak: HTML Comment in JSP
System Information Leak: Internal
Trust Boundary Violation
Unreleased Resource: Database
Unreleased Resource: Files
Unreleased Resource: Sockets
Unreleased Resource: Streams
Unreleased Resource: Synchronization
Unreleased Resource: Unmanaged Object
Weak Cryptographic Hash
XML Entity Expansion Injection
XML External Entity Injection
Command Injection
Cookie Security: Cookie not Sent Over SSL
Cross-Site Scripting: DOM
Cross-Site Scripting: Self
Hardcoded Domain in HTML
Insecure Randomness
Insecure Randomness: Hardcoded Seed
Open Redirect
Password Management: Password in Comment
Path Manipulation
Privacy Violation: Autocomplete
System Information Leak: External
System Information Leak: Internal
Insecure Randomness
Cross-Site Request Forgery
Password Management: Password in Comment
Path Manipulation
SQL Injection
System Information Leak: Internal
Weak Cryptographic Hash
Password Management: Password in Comment
Weak XML Schema: Unbounded Occurrences
Heap Inspection
Missing HSTS Header
Password In Comment
Reversible One Way Hash
Unsafe Object Binding
Use Of Broken Or Risky Cryptographic Algorithm
Client DOM Stored Code Injection
Client Weak Cryptographic Hash
Missing CSP Header
Missing HSTS Header
Use Of Broken Or Risky Cryptographic Algorithm
Debug Enabled
Filtering Sensitive Logs
Improper Resource Shutdown or Release
Information Exposure Through an Error Message
Log Forging
Password in Comment
Path Traversal
Privacy Violation
ReDoS Injection
Second Order SQL Injection
SQL Injection
Unchecked Input for Loop Condition
Use Of Broken Or Risky Cryptographic Algorithm
XSS
Default Definer Rights in Package or Object Definition
Second Order SQL Injection
Composite format strings should be used correctly
Creating cookies without the "HttpOnly" flag is security-sensitive
Creating cookies without the "secure" flag is security-sensitive
Extracting archives should not lead to zip slip vulnerabilities
Fields that are only assigned in the constructor should be "readonly"
I/O function calls should not be vulnerable to path injection attacks
Logging should not be vulnerable to injection attacks
Not specifying a timeout for regular expressions is security-sensitive
Null pointers should not be dereferenced
Sections of code should not be commented out
Secure random number generators should not output predictable values
Unassigned members should be removed
Unread "private" fields should be removed
Unused private types or members should be removed
Using pseudorandom number generators (PRNGs) is security-sensitive
Creating cookies without the "HttpOnly" flag is security-sensitive
Creating cookies without the "secure" flag is security-sensitive
Database queries should not be vulnerable to injection attacks
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Extracting archives should not lead to zip slip vulnerabilities
I/O function calls should not be vulnerable to path injection attacks
Logging should not be vulnerable to injection attacks
Public constants and fields initialized at declaration should be "static final" rather than merely "final"
Regular expressions should not be vulnerable to Denial of Service attacks
String literals should not be duplicated
Strings and Boxed types should be compared using "equals()"
Unused assignments should be removed
Unused local variables should be removed
Using pseudorandom number generators (PRNGs) is security-sensitive
Using weak hashing algorithms is security-sensitive
Creating cookies without the "secure" flag is security-sensitive
Database queries should not be vulnerable to injection attacks
Database queries should not be vulnerable to injection attacks
DOM updates should not lead to cross-site scripting (XSS) attacks
DOM updates should not lead to cross-site scripting (XSS) attacks
DOM updates should not lead to open redirect vulnerabilities
DOM updates should not lead to open redirect vulnerabilities
Dynamically executing code is security-sensitive
Function returns should not be invariant
HTTP request redirections should not be open to forging attacks
HTTP request redirections should not be open to forging attacks
I/O function calls should not be vulnerable to path injection attacks
I/O function calls should not be vulnerable to path injection attacks
Jump statements should not occur in "finally" blocks
Jump statements should not occur in "finally" blocks
NoSQL operations should not be vulnerable to injection attacks
NoSQL operations should not be vulnerable to injection attacks
Regular expressions should not be vulnerable to Denial of Service attacks
Regular expressions should not be vulnerable to Denial of Service attacks
Unnecessary character escapes should be removed
Unnecessary character escapes should be removed
Using pseudorandom number generators (PRNGs) is security-sensitive
Using pseudorandom number generators (PRNGs) is security-sensitive
Using remote artifacts without integrity checks is security-sensitive
Using weak hashing algorithms is security-sensitive
Variables should be declared with "let" or "const"
Variables should be declared with "let" or "const"
Using pseudorandom number generators (PRNGs) is security-sensitive
Database queries should not be vulnerable to injection attacks
Delivering code in production with debug features activated is security-sensitive
Disabling auto-escaping in template engines is security-sensitive
Formatting SQL queries is security-sensitive
Function parameters' default values should not be modified or assigned
Logging should not be vulnerable to injection attacks
Loop boundaries should not be vulnerable to injection attacks
python:S5443 Using publicly writable directories is security-sensitive
python:S5754 "SystemExit" should be re-raised
python:S5795 Identity comparisons should not be used with cached types
Regular expressions should not be vulnerable to Denial of Service attacks
Using weak hashing algorithms is security-sensitive
Use of dangerous function
Arbitrary file access during archive extraction (”Zip Slip”)
Deserialization of untrusted data
Insecure randomness
Log entries created from user input
Uncontrolled data used in path expression
Clear-text logging of sensitive information
Disabled TLS certificate check
Incomplete regular expression for hostnames
Log entries created from user input
Arbitrary file access during archive extraction (”Zip Slip”)
Cross-site scripting
Executing a command with a relative path
Failure to use secure cookies
HTTP response splitting
Log Injection
Query built by concatenation with a possibly-untrusted string
Query built from user-controlled sources
Resolving XML external entity in user-controlled data
Server-side request forgery
Uncontrolled command line
Uncontrolled data used in path expression
Use of a broken or risky cryptographic algorithm
Use of a potentially broken or risky cryptographic algorithm
Use of a potentially broken or risky cryptographic algorithm
Clear text transmission of sensitive cookie
Client-side cross-site scripting
Client-side URL redirect
Database query built from user-controlled sources
Inclusion of functionality from an untrusted source
Incomplete regular expression for hostnames
Incomplete URL scheme check
Incomplete URL substring sanitization
Inefficient regular expression
Insecure randomness
Insecure randomness
Log injection
Missing rate limiting
Overly permissive regular expression range
Prototype-polluting assignment
Prototype-polluting function
Reflected cross-site scripting
Regular expression injection
Server-side request forgery
Server-side URL redirect
Type confusion through parameter tampering
Uncontrolled data used in path expression
Use of a broken or weak cryptographic algorithm
Useless regular-expression character escape
Flask app is run in debug mode
Incomplete URL substring sanitization
Information exposure through an exception
Jinja2 templating with autoescape=False
Log Injection
Overly permissive regular expression range
Regular expression injection
SQL query built from user-controlled sources
Uncontrolled data used in path expression
Use of a broken or weak cryptographic algorithm
Use of a broken or weak cryptographic hashing algorithm on sensitive data
XSS
go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
go.lang.security.injection.open-redirect.open-redirect
gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check
insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification
lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1
lang.security.audit.dangerous-exec-command.dangerous-exec-command
lang.security.audit.sqli.pgx-sqli.pgx-sqli
lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter
java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly
java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag
java.lang.security.audit.crypto.weak-random.weak-random
java.servlets.security.cookie-issecure-false.cookie-issecure-false
lang.security.audit.crypto.use-of-md5.use-of-md5
lang.security.audit.crypto.use-of-sha1.use-of-sha1
lang.security.audit.sqli.jdbc-sqli.jdbc-sqli
lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request
html.security.audit.missing-integrity.missing-integrity
javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
django.security.injection.tainted-sql-string.tainted-sql-string
flask.security.injection.tainted-sql-string.tainted-sql-string
python.django.security.django-no-csrf-token.django-no-csrf-token
python.django.security.injection.open-redirect.open-redirect
python.flask.security.audit.debug-enabled.debug-enabled
python.lang.security.audit.formatted-sql-query.formatted-sql-query
python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli
python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5
python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
python.lang.security.insecure-uuid-version.insecure-uuid-version
python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query
yaml.github-actions.security.run-shell-injection.run-shell-injection
Avoid user-input file
Avoid using printStackTrace()
MD2, MD4, and MD5 are weak hash functions
Prefer SecureRandom over Random
Prevent path traversal
SHA-1 is a weak hash function
Avoid setting insecure cookie settings
Do not use weak hash functions
Avoid SQL injections
Do not use an empty list as a default parameter
click here