# What's New with Mobb {% @mailchimp/mailchimpSubscribe %} **April 17, 2026** * **New fixes released:** * **CodeQL** * [User-controlled data in numeric cast](https://codeql.github.com/codeql-query-help/java/java-tainted-numeric-cast/) (Java) * [Full server-side request forgery](https://codeql.github.com/codeql-query-help/python/py-full-ssrf/) (Python) * **New FP rules released:** * **Checkmarx** * Prototype Pollution (JavaScript / TypeScript) * **CodeQL** * [Executing a command with a relative path](https://codeql.github.com/codeql-query-help/java/java-relative-path-command/) (Java) * [User-controlled data in numeric cast](https://codeql.github.com/codeql-query-help/java/java-tainted-numeric-cast/) (Java) * [Prototype-polluting assignment](https://codeql.github.com/codeql-query-help/javascript/js-prototype-polluting-assignment/) (JavaScript / TypeScript) * [Prototype-polluting function](https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/) (JavaScript / TypeScript) * [Full server-side request forgery](https://codeql.github.com/codeql-query-help/python/py-full-ssrf/) (Python) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/python/py-incomplete-url-substring-sanitization/) (Python) * **Semgrep/Opengrep** * [eslint.detect-object-injection](https://semgrep.dev/r?q=eslint.detect-object-injection) (JavaScript / TypeScript) * [gitlab.eslint.detect-object-injection](https://semgrep.dev/r?q=gitlab.eslint.detect-object-injection) (JavaScript / TypeScript) * javascript.lang.security.audit.prototype-pollution-loop-mobb.prototype-pollution-loop-mobb (JavaScript / TypeScript) * [javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop](https://semgrep.dev/r?q=javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop) (JavaScript / TypeScript) * **Snyk** * [Prototype Pollution](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) (JavaScript / TypeScript) * [Incomplete URL sanitization](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) (Python) **April 16, 2026** * **New REST API endpoint:** Added organization-scoped `GET /api/rest/organizations/{organizationId}/active-reports` endpoint — similar to the existing `/api/rest/active-reports` but filtered by organization and enriched with project ID and name in the response. [View API Documentation](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/organizations/{organizationId}/active-reports) * **REST API update:** `GET /api/rest/active-reports` now returns project ID and name in its response. [View API Documentation](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/active-reports) **April 15, 2026** * **New fixes released:** * **CodeQL** * [Bad redirect check](https://codeql.github.com/codeql-query-help/go/go-bad-redirect-check/) (GO) * [Bad HTML filtering regexp](https://codeql.github.com/codeql-query-help/javascript/js-bad-tag-filter/) (JavaScript / TypeScript) * [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-logging/) (JavaScript / TypeScript) * **New FP rules released:** * **CodeQL** * [Bad redirect check](https://codeql.github.com/codeql-query-help/go/go-bad-redirect-check/) (GO) * [Bad HTML filtering regexp](https://codeql.github.com/codeql-query-help/javascript/js-bad-tag-filter/) (JavaScript / TypeScript) **April 7, 2026** * **New fixes released:** * **CodeQL** * [Cookie "HttpOnly" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-httponly-not-set/) (C#) * [Cookie "Secure" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-secure-not-set/) (C#) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) (C#) * [Exposure of private information](https://codeql.github.com/codeql-query-help/csharp/cs-exposure-of-sensitive-information/) (C#) * [Missing cross-site request forgery token validation](https://codeql.github.com/codeql-query-help/csharp/cs-web-missing-token-validation/) (C#) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) (C#) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) (GO) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) (GO) * Stored cross-site scripting (GO) * [Use of insufficient randomness as the key of a cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-insecure-randomness/) (GO) * [Building a command line with string concatenation](https://codeql.github.com/codeql-query-help/java/java-concatenated-command-line/) (Java) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) (Java) * [Insecure randomness](https://codeql.github.com/codeql-query-help/java/java-insecure-randomness/) (Java) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) (Java) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) (Java) * [Regular expression injection](https://codeql.github.com/codeql-query-help/java/java-regex-injection/) (Java) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) (JavaScript / TypeScript) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) (JavaScript / TypeScript) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) (JavaScript / TypeScript) * [Loop bound injection](https://codeql.github.com/codeql-query-help/javascript/js-loop-bound-injection/) (JavaScript / TypeScript) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) (JavaScript / TypeScript) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) (JavaScript / TypeScript) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) (JavaScript / TypeScript) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) (JavaScript / TypeScript) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) (JavaScript / TypeScript) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) (Python) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) (Python) * **New FP rules released:** * **CodeQL** * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) (C#) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) (C#) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) (GO) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) (GO) * Stored cross-site scripting (GO) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-weak-cryptographic-algorithm/) (GO) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/go/go-weak-sensitive-data-hashing/) (GO) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) (Java) * [Hardcoded Credential Comparison](https://codeql.github.com/codeql-query-help/java-cwe/) (Java) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) (Java) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) (Java) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) (JavaScript / TypeScript) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) (JavaScript / TypeScript) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) (JavaScript / TypeScript) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) (JavaScript / TypeScript) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) (JavaScript / TypeScript) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) (JavaScript / TypeScript) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) (JavaScript / TypeScript) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) (JavaScript / TypeScript) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) (Python) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) (Python) **March 23, 2026** * **New guide:** Added a step-by-step integration guide for [Jenkins + Bitbucket + Checkmarx One](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/jenkins/jenkins-+-bitbucket-repository), covering how to set up Checkmarx One and Mobb auto-remediation for your Bitbucket repositories through Jenkins pipeline. **March 4, 2026** * **New REST API guide:** Added a deployment scenario guide explaining how to use the `/api/rest/fp-summary` endpoint to retrieve concise false positive summaries (up to 280 characters) — ideal for embedding in suppression comments, ticketing systems, and CI/CD pipelines. [Learn more](https://docs.mobb.ai/mobb-user-docs/mobb-rest-api/rest-api-common-deployment-scenarios#retrieving-a-concise-false-positive-summary) **February 27, 2026** * **New guide:** Added a step-by-step integration guide for [GitHub Fixer for GitHub Advanced Security (GHAS)](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/github-actions/github-fixer-for-ghas), covering how to set up CodeQL monitoring and automate Mobb fixes directly in your Pull Requests using the [codeql-mobb-fixer-action](https://github.com/marketplace/actions/codeql-mobb-fixer-action). * **New fixes released:** * **CodeQL** * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) (YAML) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/) (YAML) * **New FP rules released:** * **CodeQL** * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) (YAML) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/) (YAML) **February 17, 2026** * **New feature in Mobb CLI:** Added `scan-skill` command to provide security scanning for agentic coding skills before installation and after deployment. Protects against malicious skills that could perform credential theft, persistence, or remote payload execution. [Learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-cli/scan-skill-mode) * **New REST API endpoint:** Added `/api/rest/fp-summary` endpoint to retrieve concise false positive descriptions (up to 280 characters) for issues. [View API Documentation](https://apidocs.mobb.ai/mobb-rest-api#tag/issues/get/api/rest/fp-summary) **February 13, 2026** * **New REST API endpoint:** Added `/api/rest/active-reports` endpoint to retrieve all active fix reports with finished state. [View API Documentation](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/active-reports) * **Age of Fixable Issue:** Added age tracking for fixable issues to help with SLA tracking and prioritization. [Learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#age-of-fixable-issue) **February 9, 2026** * **New fixes released:** * **CodeQL** * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) (YAML) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) (YAML) * [Unpinned tag for a non-immutable Action in workflow](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) (YAML) * **New FP rules released:** * **Checkmarx** * Log Forging (Java) * Stored Log Forging (Java) * Command Injection (JavaScript / TypeScript) * **CodeQL** * [Log Injection](https://codeql.github.com/codeql-query-help/java/java-log-injection/) (Java) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) (JavaScript / TypeScript) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) (YAML) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) (YAML) * **Datadog** * Command Injection (JavaScript / TypeScript) * **Fortify** * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Java%2FJSP) (Java) * [Log Forging (debug)](https://vulncat.fortify.com/en/detail?category=Log%20Forging%20%28debug%29#Java%2FJSP) (Java) * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#JavaScript%2FTypeScript) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) (JavaScript / TypeScript) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) (JavaScript / TypeScript) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) (JavaScript / TypeScript) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) (JavaScript / TypeScript) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) (JavaScript / TypeScript) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) (JavaScript / TypeScript) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) (JavaScript / TypeScript) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) (JavaScript / TypeScript) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection) (YAML) * **Snyk** * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) (JavaScript / TypeScript) * [Indirect Command Injection via User Controlled Environment](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-13-indirect-command-injection-via-user-controlled-environment) (JavaScript / TypeScript) * **SonarQube** * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-5145/) (Java) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) (JavaScript / TypeScript) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) (JavaScript / TypeScript) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) (JavaScript / TypeScript) **January 7, 2025** * **Tracy Time Machine:** Tracy Time Machine is a feature of the Mobb Tracy extension (for VS Code and Cursor) that allows you to travel back in time to review the AI conversation history for specific lines of code, and continue the conversation while preserving the previous context. [Click here to learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-tracy#tracy-time-machine). * **New FP rules released:** * **Checkmarx** * Use Of Broken Or Risky Cryptographic Algorithm (C#) * Client DOM Open Redirect (JavaScript / TypeScript) * Open Redirect (JavaScript / TypeScript) * **CodeQL** * [Client-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-client-side-unvalidated-url-redirection/) (JavaScript / TypeScript) * [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) (JavaScript / TypeScript) * **Fortify** * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) (JavaScript / TypeScript) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) (JavaScript / TypeScript) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) (JavaScript / TypeScript) * **Snyk** * [Open Redirect](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-121-open-redirect) (JavaScript / TypeScript) * **SonarQube** * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) (JavaScript / TypeScript) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) (JavaScript / TypeScript) **December 19, 2025** * **Fix Side Panel:** We have added a new side panel to significantly enhance usability when reviewing fixes. This feature is especially helpful for bulk commits. [Click here to learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#bulk-commits-best-practices-using-the-fix-side-panel). * **New fixes released:** * **Checkmarx** * Dynamic SQL Queries (C#) * Command Injection (GO) * SQL Injection (GO) * Second Order SQL Injection (GO) * Client DOM Code Injection (JavaScript / TypeScript) * Information Exposure Through an Error Message (JavaScript / TypeScript) * Command Argument Injection (Python) * **CodeQL** * SQL Injection (C#) * Command Injection (GO) * SQL Injection (GO) * [Information exposure through a stack trace](https://codeql.github.com/codeql-query-help/javascript/js-stack-trace-exposure/) (JavaScript / TypeScript) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) (JavaScript / TypeScript) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) (JavaScript / TypeScript) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) (JavaScript / TypeScript) * **Datadog** * SQL Injection (GO) * Command Injection (JavaScript / TypeScript) * Path traversal (JavaScript / TypeScript) * SQL Injection (JavaScript / TypeScript) * Path Traversal (Python) * **Semgrep/Opengrep** * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) (GO) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) (GO) * [lang.security.audit.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder) (Java) * [lang.security.audit.command-injection-process-builder.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder.command-injection-process-builder) (Java) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) (JavaScript / TypeScript) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) (JavaScript / TypeScript) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) (JavaScript / TypeScript) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) (JavaScript / TypeScript) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) (JavaScript / TypeScript) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) (JavaScript / TypeScript) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) (JavaScript / TypeScript) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) (JavaScript / TypeScript) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) (JavaScript / TypeScript) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) (JavaScript / TypeScript) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) (JavaScript / TypeScript) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) (JavaScript / TypeScript) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) (JavaScript / TypeScript) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) (JavaScript / TypeScript) * [django.security.injection.path-traversal.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open) (Python) * [django.security.injection.path-traversal.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open.path-traversal-open) (Python) * [flask.security.injection.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open) (Python) * [flask.security.injection.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open.path-traversal-open) (Python) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) (Python) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) (Python) * **Snyk** * Command Injection (GO) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) (GO) * SQL Injection (GO) * **SonarQube** * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) (C#) * Constructing arguments of system commands from user input is security-sensitive (GO) * Database queries should not be vulnerable to injection attacks (GO) * Formatting SQL queries is security-sensitive (GO) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) (JavaScript / TypeScript) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) (JavaScript / TypeScript) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) (JavaScript / TypeScript) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) (JavaScript / TypeScript) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) (JavaScript / TypeScript) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) (Python) * [Disabling CSRF protections is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4502/) (Python) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) (Python) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/python/RSPEC-2083/) (Python) * **New FP rules released:** * **Checkmarx** * Dynamic SQL Queries (C#) * Command Injection (GO) * SQL Injection (GO) * Second Order SQL Injection (GO) * Client DOM Code Injection (JavaScript / TypeScript) * Command Argument Injection (Python) * **CodeQL** * Hard-coded Connection String Credentials (C#) * Hard-coded credentials (C#) * SQL Injection (C#) * Command Injection (GO) * SQL Injection (GO) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) (JavaScript / TypeScript) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) (JavaScript / TypeScript) * **Datadog** * SQL Injection (GO) * Path traversal (JavaScript / TypeScript) * SQL Injection (JavaScript / TypeScript) * Insecure hash functions (Python) * **Fortify** * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#JavaScript%2FTypeScript) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) (C#) * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) (GO) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) (GO) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) (GO) * [find\_sec\_bugs.DMI\_CONSTANT\_DB\_PASSWORD-1.HARD\_CODE\_PASSWORD-3](https://semgrep.dev/r?q=find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3) (Java) * [find\_sec\_bugs.HARD\_CODE\_KEY-4](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_KEY-4) (Java) * [find\_sec\_bugs.HARD\_CODE\_PASSWORD-1](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_PASSWORD-1) (Java) * [mobsfscan.crypto.weak\_hashes.weak\_hash](https://semgrep.dev/r?q=mobsfscan.crypto.weak_hashes.weak_hash) (Java) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) (JavaScript / TypeScript) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) (JavaScript / TypeScript) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) (JavaScript / TypeScript) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) (JavaScript / TypeScript) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) (JavaScript / TypeScript) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) (JavaScript / TypeScript) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) (JavaScript / TypeScript) * [njsscan.crypto.crypto\_node.node\_md5](https://semgrep.dev/r?q=njsscan.crypto.crypto_node.node_md5) (JavaScript / TypeScript) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) (JavaScript / TypeScript) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) (JavaScript / TypeScript) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) (JavaScript / TypeScript) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) (JavaScript / TypeScript) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) (Python) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key) (Python) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) (Python) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) (Python) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key) (Python) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) (Python) * **Snyk** * Command Injection (GO) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) (GO) * SQL Injection (GO) * **SonarQube** * Dropbox app credentials should not be disclosed (C#) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) (C#) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6418) (C#) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-4790/) (C#) * Constructing arguments of system commands from user input is security-sensitive (GO) * Database queries should not be vulnerable to injection attacks (GO) * Formatting SQL queries is security-sensitive (GO) * Using weak hashing algorithms is security-sensitive (GO) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) (JavaScript / TypeScript) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) (JavaScript / TypeScript) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) (Python) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) (Python) **December 9, 2025** * **Fix Confidence in REST API:** You can now access the fix confidence score (Stable vs Adaptive) directly via the API. [Click here to learn more](https://docs.mobb.ai/mobb-user-docs/mobb-rest-api/rest-api-common-deployment-scenarios#guide-1-how-to-obtain-fix-confidence-status). API documentation: [GET fix-reports/{fixReportId}](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/fix-reports/{fixReportId}). * **Fix Ratings in REST API:** Retrieve user feedback and fix ratings (Vote Score, Comments, Tags) programmatically. [Click here to learn more](https://docs.mobb.ai/mobb-user-docs/mobb-rest-api/rest-api-common-deployment-scenarios#guide-2-how-to-obtain-fix-rating). API documentation: [GET fix-reports/{fixReportId}](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/fix-reports/{fixReportId}). * **New Fix Report Summary in REST API:** A new endpoint is available to retrieve statistics for a specific fix report, including counts of fixable and irrelevant issues. API documentation: [GET fix-reports/{fixReportId}/stats](https://apidocs.mobb.ai/mobb-rest-api#tag/analytics/get/api/rest/fix-reports/{fixReportId}/stats). **December 8, 2025** * **Branch Prefix for Pull Requests:** When submitting fixes as a Pull Request, you can now specify an optional branch prefix to follow your team's branch naming conventions (e.g., `feature`, `fix`, `patch`). The prefix will be prepended to the branch name in the format `{prefix}/{branch-name}`. [Click here to learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#optional-branch-prefix). * **New fixes released:** * **Semgrep/Opengrep** * [SSRF - node\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) (JavaScript / TypeScript) * [SSRF - phantom\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) (JavaScript / TypeScript) * [SSRF - playwright\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) (JavaScript / TypeScript) * [SSRF - puppeteer\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltoimage\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltopdf\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) (JavaScript / TypeScript) * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) (JavaScript / TypeScript) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) (JavaScript / TypeScript) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) (JavaScript / TypeScript) * [nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) (JavaScript / TypeScript) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) (JavaScript / TypeScript) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) (JavaScript / TypeScript) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) (JavaScript / TypeScript) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) (JavaScript / TypeScript) * **New FP rules released:** * **Checkmarx** * SSRF (JavaScript / TypeScript) * **CodeQL** * [Server-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [SSRF - node\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) (JavaScript / TypeScript) * [SSRF - phantom\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) (JavaScript / TypeScript) * [SSRF - playwright\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) (JavaScript / TypeScript) * [SSRF - puppeteer\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltoimage\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltopdf\_ssrf](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) (JavaScript / TypeScript) * [SSRF - node\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) (JavaScript / TypeScript) * [SSRF - phantom\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) (JavaScript / TypeScript) * [SSRF - playwright\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) (JavaScript / TypeScript) * [SSRF - puppeteer\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltoimage\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltopdf\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) (JavaScript / TypeScript) * [javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=javascript-crypto-rule-node_md5) (JavaScript / TypeScript) * [javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=javascript-crypto-rule-node_sha1) (JavaScript / TypeScript) * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) (JavaScript / TypeScript) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) (JavaScript / TypeScript) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) (JavaScript / TypeScript) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) (JavaScript / TypeScript) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) (JavaScript / TypeScript) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) (JavaScript / TypeScript) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) (JavaScript / TypeScript) * [python.lang.security.insecure-hash-algorithm-md5](https://github.com/mobb-dev/opengrep-rules/blob/main/python/lang/security/insecure-hash-algorithms-md5.yaml) (Python) * **Snyk** * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) (JavaScript / TypeScript) **December 2, 2025** * **Explain Fix Feature Released**: We've added a new "Explain Fix" button to individual fixes in the fix report that provides AI-powered explanations of how and why each security fix was implemented. This feature helps developers understand the security reasoning behind fixes, learn secure coding patterns, and make informed decisions about remediation strategies. [Learn more about working with fix explanations](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#fix-explanation). * **New Tracy Integration Guides**: Added comprehensive guides for integrating Mobb Tracy with popular AI coding assistants. These guides provide step-by-step instructions for setting up Tracy to monitor AI-generated code in your development workflow: * [Tracy with VS Code + GitHub Copilot](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-tracy/vs-code-+-github-copilot) - Complete setup guide for monitoring GitHub Copilot code generation * [Tracy with Claude Code](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-tracy/claude-code) - Integration guide for tracking Claude-generated code contributions **November 14, 2025** * **Mobb Tracy Released**: Introducing Tracy, our AI code intelligence platform that provides line-level visibility into AI-generated code in pull requests. Tracy shows exactly which lines were written by AI, which model was used, and what prompts created them - enabling smarter code reviews and better AI development practices. [Learn more about Tracy](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-tracy). * **New fixes released:** * **Semgrep/Opengrep** * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) (Java) * [find\_sec\_bugs.HTTPONLY\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.HTTPONLY_COOKIE-1) (Java) * [find\_sec\_bugs.INSECURE\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.INSECURE_COOKIE-1) (Java) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) (Java) * [find\_sec\_bugs.PREDICTABLE\_RANDOM-1](https://semgrep.dev/r?q=find_sec_bugs.PREDICTABLE_RANDOM-1) (Java) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) (Java) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) (Java) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) (Java) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) (Java) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) (Java) * [SSRF - phantom\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) (JavaScript / TypeScript) * [SSRF - playwright\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) (JavaScript / TypeScript) * [SSRF - puppeteer\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltoimage\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) (JavaScript / TypeScript) * [SSRF - wkhtmltopdf\_ssrf](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) (JavaScript / TypeScript) * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) (JavaScript / TypeScript) * [eslint.detect-pseudoRandomBytes](https://semgrep.dev/r?q=gitlab.eslint.detect-pseudoRandomBytes) (JavaScript / TypeScript) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) (JavaScript / TypeScript) * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) (JavaScript / TypeScript) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) (JavaScript / TypeScript) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) (JavaScript / TypeScript) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) (JavaScript / TypeScript) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) (JavaScript / TypeScript) * [pt using rendering templates - express\_lfr](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) (JavaScript / TypeScript) * [pt using rendering templates - express\_lfr\_warning](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) (JavaScript / TypeScript) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) (Python) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) (Python) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) (Python) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) (Python) * [XSS](https://semgrep.dev/r?q=bandit.B703) (Python) * [possible os cmdi - bandit.B605](https://semgrep.dev/r?q=bandit.B605) (Python) * [possible os cmdi - bandit.B606](https://semgrep.dev/r?q=bandit.B606) (Python) * [possible os cmdi - bandit.B607](https://semgrep.dev/r?q=bandit.B607) (Python) * [possible os cmdi - start-process-partial-path](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) (Python) * [possible os cmdi - start-process-path](https://semgrep.dev/r?q=python_exec_rule-start-process-path) (Python) * [possible os cmdi - subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) (Python) * [sqli - bandit.B608](https://semgrep.dev/r?q=bandit.B608) (Python) * [sqli - bandit.B610](https://semgrep.dev/r?q=bandit.B610) (Python) * [sqli - bandit.B611](https://semgrep.dev/r?q=bandit.B611) (Python) * [sqli - bandit.B611-2](https://semgrep.dev/r?q=bandit.B611-2) (Python) * [sqli - bandit.B612](https://semgrep.dev/r?q=bandit.B612) (Python) * [sqli - db-cursor-execute](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) (Python) * **SonarQube** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) (DOCKERFILE) * **New FP rules released:** * **Semgrep/Opengrep** * [find\_sec\_bugs.DES\_USAGE-1](https://semgrep.dev/r?q=find_sec_bugs.DES_USAGE-1) (Java) * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) (Java) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) (Java) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) (Java) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) (Java) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) (Java) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) (Java) * [find\_sec\_bugs.WEAK\_MESSAGE\_DIGEST\_MD5-1.WEAK\_MESSAGE\_DIGEST\_SHA1-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1) (Java) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) (Java) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) (JavaScript / TypeScript) * [nodejs\_scan.javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_md5) (JavaScript / TypeScript) * [nodejs\_scan.javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_sha1) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) (JavaScript / TypeScript) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) (JavaScript / TypeScript) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) (JavaScript / TypeScript) * [pt using rendering templates - express\_lfr](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) (JavaScript / TypeScript) * [pt using rendering templates - express\_lfr\_warning](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) (JavaScript / TypeScript) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) (Python) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) (Python) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) (Python) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-1](https://semgrep.dev/r?q=bandit.B303-1) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-2](https://semgrep.dev/r?q=bandit.B303-2) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-3](https://semgrep.dev/r?q=bandit.B303-3) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-4](https://semgrep.dev/r?q=bandit.B303-4) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-5](https://semgrep.dev/r?q=bandit.B303-5) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-6](https://semgrep.dev/r?q=bandit.B303-6) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-7](https://semgrep.dev/r?q=bandit.B303-7) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B303-8](https://semgrep.dev/r?q=bandit.B303-8) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-1](https://semgrep.dev/r?q=bandit.B304-1) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-10](https://semgrep.dev/r?q=bandit.B304-10) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-11](https://semgrep.dev/r?q=bandit.B304-11) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-12](https://semgrep.dev/r?q=bandit.B304-12) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-2](https://semgrep.dev/r?q=bandit.B304-2) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-3](https://semgrep.dev/r?q=bandit.B304-3) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-4](https://semgrep.dev/r?q=bandit.B304-4) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-5](https://semgrep.dev/r?q=bandit.B304-5) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-6](https://semgrep.dev/r?q=bandit.B304-6) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-7](https://semgrep.dev/r?q=bandit.B304-7) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-8](https://semgrep.dev/r?q=bandit.B304-8) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B304-9](https://semgrep.dev/r?q=bandit.B304-9) (Python) * [The application was found using an insecure or risky digest or signature algorithm - bandit.B324](https://semgrep.dev/r?q=bandit.B324) (Python) * [XSS](https://semgrep.dev/r?q=bandit.B703) (Python) * [possible os cmdi - bandit.B605](https://semgrep.dev/r?q=bandit.B605) (Python) * [possible os cmdi - bandit.B606](https://semgrep.dev/r?q=bandit.B606) (Python) * [possible os cmdi - bandit.B607](https://semgrep.dev/r?q=bandit.B607) (Python) * [possible os cmdi - start-process-partial-path](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) (Python) * [possible os cmdi - start-process-path](https://semgrep.dev/r?q=python_exec_rule-start-process-path) (Python) * [possible os cmdi - subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) (Python) * [sqli - bandit.B608](https://semgrep.dev/r?q=bandit.B608) (Python) * [sqli - bandit.B610](https://semgrep.dev/r?q=bandit.B610) (Python) * [sqli - bandit.B611](https://semgrep.dev/r?q=bandit.B611) (Python) * [sqli - bandit.B611-2](https://semgrep.dev/r?q=bandit.B611-2) (Python) * [sqli - bandit.B612](https://semgrep.dev/r?q=bandit.B612) (Python) * [sqli - db-cursor-execute](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) (Python) * **SonarQube** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) (DOCKERFILE) **November 4, 2025** * **Claude Code Integration Guide Released**: Published a comprehensive setup guide for integrating Mobb Vibe Shield (MVS) with Anthropic's Claude Code AI coding assistant. This integration enables developers to use Mobb's automated fixing capabilities directly within Claude Code through Model Context Protocol (MCP). [View the complete setup guide](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/vs-code-+-claude-code). **October 28, 2025** * **Gemini Code Assist Integration Now Available**: Mobb Vibe Shield (MVS) now supports Google's Gemini Code Assist through Model Context Protocol (MCP) integration in VS Code. This integration brings Mobb's automated fixing capabilities directly into Gemini's agent mode, enabling developers to seamlessly incorporate security testing into their AI-assisted development workflow. [View the complete setup guide](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/vs-code-+-gemini-code-assist). * **New fixes released:** * **CodeQL** * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) (Java) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) (JavaScript / TypeScript) * **New FP rules released:** * **Checkmarx** * Reflected XSS All Clients (Java) * Stored XSS (Java) * Absolute Path Traversal (JavaScript / TypeScript) * Client Password In Comment (JavaScript / TypeScript) * Relative Path Traversal (JavaScript / TypeScript) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) (Python) * **CodeQL** * [Cross-site scripting](https://codeql.github.com/codeql-query-help/java/java-xss/) (Java) * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) (Java) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) (JavaScript / TypeScript) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/javascript/js-path-injection/) (JavaScript / TypeScript) * **Fortify** * [Cross-Site Scripting: Reflected](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Reflected#Java%2FJSP) (Java) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#JavaScript%2FTypeScript) (JavaScript / TypeScript) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#JavaScript%2FTypeScript) (JavaScript / TypeScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) (Python) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Universal) (XML) * **Semgrep/Opengrep** * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) (JavaScript / TypeScript) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) (JavaScript / TypeScript) * [Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) (JavaScript / TypeScript) * [Possible writing outside of the destination, make sure that the target path is nested in the intended destination](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) (JavaScript / TypeScript) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) (JavaScript / TypeScript) * **Snyk** * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) (Java) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) (JavaScript / TypeScript) * **SonarQube** * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/java/RSPEC-5131/) (Java) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) (JavaScript / TypeScript) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) (JavaScript / TypeScript) **October 22, 2025** * **Enhanced Issues API v5 Released**: Introduced [GET Issues v5](https://apidocs.mobb.ai/mobb-rest-api#tag/issues/get/api/rest/v5/issues) REST API endpoint with significant enhancements over v4, including false positive support with `fpDescription` field and improved filtering capabilities with `fixReportId` parameter for more granular issue queries. **October 20, 2025** * **Comprehensive Technical Brief Released**: Published a complete technical overview designed as a single-source document for understanding Mobb's technology stack, architecture, and platform capabilities. Perfect for technical stakeholders, security teams, and anyone seeking a consolidated technical understanding of how Mobb works, covering everything from fix generation algorithms to deployment options. [Read the full technical brief](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-technical-brief). * **New fixes released:** * **Semgrep/Opengrep** * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) (GO) * Path Traversal (Java) * Tainted File Path (Java) * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) (JavaScript / TypeScript) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) (JavaScript / TypeScript) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) (JavaScript / TypeScript) * [ajinabraham.njsscan.crypto.crypto\_node.node\_insecure\_random\_generator](https://semgrep.dev/r?q=ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator) (JavaScript / TypeScript) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) (JavaScript / TypeScript) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) (JavaScript / TypeScript) * [njsscan.dos.regex\_dos.regex\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_dos.regex_dos) (JavaScript / TypeScript) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) (JavaScript / TypeScript) * [nodejs\_scan.javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=nodejs_scan.javascript-dos-rule-regex_dos) (JavaScript / TypeScript) * **New FP rules released:** * **Semgrep/Opengrep** * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) (GO) * Path Traversal (Java) * Tainted File Path (Java) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) (JavaScript / TypeScript) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) (JavaScript / TypeScript) **October 10, 2025** * **MVS Auto-Fix Mode**: Introducing continuous automated security scanning and fixing! Enable Auto-Fix Mode in your IDE settings for silent background vulnerability detection and automatic remediation using OpenGrep + Mobb fixes. No more manual intervention needed - just code while Mobb keeps you secure! [Learn more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs#mvs-auto-fix-mode). * **New fixes released:** * **Semgrep/Opengrep** * [dgryski.semgrep-go.errnilcheck.err-nil-check](https://semgrep.dev/r?q=dgryski.semgrep-go.errnilcheck.err-nil-check) (GO) * File Path Traversal in HttpServlet (Java) * Relative File Path Traversal in HttpServlet (Java) * SQL Injection (Java) * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) (Java) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) (JavaScript / TypeScript) * [eslint.detect-object-injection](https://semgrep.dev/r?q=eslint.detect-object-injection) (JavaScript / TypeScript) * [gitlab.eslint.detect-object-injection](https://semgrep.dev/r?q=gitlab.eslint.detect-object-injection) (JavaScript / TypeScript) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=javascript-crypto-rule-node_insecure_random_generator) (JavaScript / TypeScript) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) (JavaScript / TypeScript) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) (JavaScript / TypeScript) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) (JavaScript / TypeScript) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) (JavaScript / TypeScript) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) (JavaScript / TypeScript) * [B113: request\_without\_timeout](https://semgrep.dev/r?q=gitlab.bandit.B113) (Python) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) (Python) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) (Python) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) (Python) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) (Python) * **New FP rules released:** * **Semgrep/Opengrep** * File Path Traversal in HttpServlet (Java) * Relative File Path Traversal in HttpServlet (Java) * SQL Injection (Java) * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) (Java) * [WEAK\_MESSAGE\_DIGEST\_MD5-1.WEAK\_MESSAGE\_DIGEST\_SHA1-1](https://semgrep.dev/r?q=WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1) (Java) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) (JavaScript / TypeScript) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) (JavaScript / TypeScript) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) (JavaScript / TypeScript) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) (JavaScript / TypeScript) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) (JavaScript / TypeScript) * [B303-8](https://semgrep.dev/r?q=bandit.B303-8) (Python) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) (Python) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) (Python) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) (Python) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) (Python) **September 26, 2025** * **New fixes released:** * **Semgrep/Opengrep** * java.mobb.custom\_injection (Java) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) (Python) * [An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha) (YAML) * [github-actions.security.third-party-action-not-pinned-to-commit-sha](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha) (YAML) * **New FP rules released:** * **Semgrep/Opengrep** * java.mobb.custom\_injection (Java) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) (Python) **September 19, 2025** * **Organization-Level Activity Dashboard**: Released a comprehensive organization-wide analytics dashboard providing aggregated metrics, fix coverage, and engagement statistics across all projects. Click here to learn [more](https://docs.mobb.ai/mobb-user-docs/mobb-dashboard#activity-dashboard). * **Project-Level Activity Dashboard**: Launched a dedicated project-specific dashboard offering detailed visibility into fix coverage, engagement metrics, and trends for individual projects. Click here to learn [more](https://docs.mobb.ai/mobb-user-docs/mobb-dashboard/project-level-activity-dashboard). * **Devin.ai + Mobb Vibe Shield Integration Guide**: Published a comprehensive setup guide for integrating Mobb Vibe Shield (MVS) with Devin.ai's autonomous AI coding platform. Click here to learn [more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/devin.ai). * **Tabnine + Mobb Vibe Shield Integration Guide**: Released step-by-step documentation for integrating Mobb Vibe Shield (MVS) with Tabnine AI coding platform. Click here to learn [more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/tabnine-enterprise). * **New fixes released:** * **Semgrep/Opengrep** * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) (Java) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) (Java) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) (Java) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) (Java) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) (Java) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) (Java) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) (JavaScript / TypeScript) * **New FP rules released:** * **Checkmarx** * Log Forging (JavaScript / TypeScript) * **CodeQL** * [Log injection](https://codeql.github.com/codeql-query-help/javascript/js-log-injection/) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) (Java) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) (Java) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) (Java) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) (Java) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) (Java) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) (Java) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) (JavaScript / TypeScript) * javascript.mobb.log\_forging (JavaScript / TypeScript) * [python.lang.security.insecure-hash-algorithm-md5](https://github.com/opengrep/opengrep-rules/blob/main/python/lang/security/insecure-hash-algorithms-md5.yaml) (Python) **September 12, 2025** * Released a new setup guide for Mobb Vibe Shield on GitLab Duo (Click here to learn [more](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/vs-code-+-gitlab-duo-chat)) * Released a new REST API endpoint for [GET Project Dashboard Activity](https://apidocs.mobb.ai/mobb-rest-api#tag/analytics/get/api/rest/organizations/{organizationId}/projects/{projectId}/dashboard-activity) * Released enhanced [GET Fix-Report v2](https://apidocs.mobb.ai/mobb-rest-api#tag/fix-reports/get/api/rest/v2/fix-reports) REST API, adding enhanced pagination features, thus allowing querying large result sets. * **New fixes released:** * **Fortify** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) (Java) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) (Java) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) (Java) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) (Java) * **Semgrep/Opengrep** * [javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) (JavaScript / TypeScript) * [bandit.B101](https://semgrep.dev/r/bandit.B101) (Python) * [lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) (Python) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) (Python) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) (Python) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) (Python) * **New FP rules released:** * **Fortify** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) (Java) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) (Java) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) (Java) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) (Java) * **Semgrep/Opengrep** * [javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) (JavaScript / TypeScript) * [lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) (Python) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) (Python) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) (Python) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) (Python) **September 2, 2025** * **New fixes released:** * **Fortify** * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) (C#) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) (Java) * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) (Python) * **Semgrep/Opengrep** * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) (C#) * [typescript.lang.correctness.useless-ternary.useless-ternary](https://semgrep.dev/r?q=typescript.lang.correctness.useless-ternary.useless-ternary) (JavaScript / TypeScript) * [bandit.B201](https://semgrep.dev/r?q=bandit.B201) (Python) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) (Python) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) (Python) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) (Python) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) (Python) * [gitlab.bandit.B113](https://semgrep.dev/r?q=bandit.B113) (Python) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) (Python) * [python.lang.correctness.exit.use-sys-exit](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) (Python) * [python.lang.maintainability.useless-ifelse.useless-if-body](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) (Python) * [python.requests.best-practice.use-raise-for-status.use-raise-for-status](https://semgrep.dev/r?q=python.requests.best-practice.use-raise-for-status.use-raise-for-status) (Python) * [python.requests.best-practice.use-timeout.use-timeout](https://semgrep.dev/r?q=python.requests.best-practice.use-timeout.use-timeout) (Python) * **New FP rules released:** * **Fortify** * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) (C#) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#C%23%2FVB.NET%2FASP.NET) (C#) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) (Java) * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) (Python) * **Semgrep/Opengrep** * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) (C#) * [secrets.gitleaks.jwt.jwt](https://semgrep.dev/r/?q=secrets.gitleaks.jwt.jwt) (DEFAULT) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) (Python) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) (Python) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) (Python) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) (Python) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) (Python) * [sqlalchemy.correctness.delete-where.delete-where-no-execute](https://semgrep.dev/r?q=sqlalchemy.correctness.delete-where.delete-where-no-execute) (Python) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) (YAML) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) (YAML) **August 28, 2025** * **Safe Vibe Codes Security Scanner Released:** Launched [Safe Vibe Codes](https://safevibe.codes/) - a specialized security scanner designed to identify and address security vulnerabilities in AI-generated code applications. Currently supports Bolt.new, Lovable, Base44 and V0 by Vercel platforms. * **Ticket ID in Pull Request Title**: Added support for embedding ticket IDs (e.g., Jira or Linear issue numbers) directly into pull request titles, descriptions, and commit messages, ensuring compliance with internal development workflows that require PR-ticket linkage for both single and bulk fix operations. Click [here](https://docs.mobb.ai/mobb-user-docs/integrating-with-issue-tracking-systems/embedding-ticket-id-in-pull-requests) to learn more. * **Added User Last Activity Tracking**: Mobb now tracks user last activity dates via the REST API endpoint `GET /api/rest/users/{userId}`, enabling administrators to identify inactive accounts. Click [here](https://apidocs.mobb.ai/mobb-rest-api#tag/users/get/api/rest/users/{userId}) to try it out. * **Added Enhanced Issues API v4**: Introduced a new optimized `GET /api/rest/v4/issues` endpoint with improved pagination performance for retrieving vulnerability issues and their associated fixes across all analyses. Click [here](https://apidocs.mobb.ai/mobb-rest-api#tag/issues/get/api/rest/v4/issues) to try it out. * **Enhanced Issue State Management**: GET issue details (`GET /api/rest/issues/{issueId}`) responses now include a new `FalsePositive` state in the vulnerability report issue state enumeration, providing better categorization and filtering capabilities for security findings that have been identified as false positives. Click [here](https://apidocs.mobb.ai/mobb-rest-api#tag/issues/get/api/rest/issues/{issueId}) to try it out. * **ArmorCode Integration is now Active**: Mobb is now integrated with ArmorCode's application security orchestration platform, enabling seamless vulnerability management and automated fix workflows within ArmorCode's unified security dashboard. [Reach out to us](mailto:support@mobb.ai) to get started with this integration. * **Enhanced Mobb Vibe Shield Background Scanning**: Mobb Vibe Shield now performs periodic security scans automatically in the background without interrupting developer workflow, providing continuous security monitoring and fixes directly within your IDE environment. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs#id-3.-check_for_new_available_fixes) to learn more. * **Microsoft Entra ID SSO Integration Guide Published**: Released documentation for configuring SAML-based SSO with Microsoft Entra ID. Click [here](https://docs.mobb.ai/mobb-user-docs/administration/single-sign-on-sso/connecting-entra-id-to-mobb) to learn more. * **Mobb On-Premise Support**: Mobb now supports on-premise deployment (private AWS cloud), enabling organizations to run Mobb within their own private cloud infrastructure. * **New fixes released:** * **Fortify** * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) (C#) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) (Java) * **Semgrep/Opengrep** * [typescript.lang.correctness.useless-ternary.useless-ternary](https://semgrep.dev/r?q=typescript.lang.correctness.useless-ternary.useless-ternary) (JavaScript / TypeScript) * [yaml.docker-compose.security.no-new-privileges.no-new-privileges](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) (YAML) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) (YAML) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) (YAML) * **New FP rules released:** * **Checkmarx** * Privacy Violation (Java) * SQL Injection (Java) * SQL Injection Evasion Attack (Java) * **CodeQL** * [Query built by concatenation with a possibly-untrusted string](https://codeql.github.com/codeql-query-help/java/java-concatenated-sql-query/) (Java) * [Query built from user-controlled sources](https://codeql.github.com/codeql-query-help/java/java-sql-injection/) (Java) * **Fortify** * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) (C#) * [Header Manipulation](https://vulncat.fortify.com/en/detail?category=Header%20Manipulation) (Java) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) (Java) * [Privacy Violation](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation#Java%2FJSP) (Java) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Java%2FJSP) (Java) * **Semgrep/Opengrep** * [lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) (Java) * [lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) (Java) * [yaml.docker-compose.security.no-new-privileges.no-new-privileges](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) (YAML) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) (YAML) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) (YAML) * **Snyk** * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) (Java) * **SonarQube** * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-3649/) (Java) **August 8th, 2025** * **Enhanced SAST File Processing Performance in Mobb UI:** The SAST file upload and processing workflow has been significantly optimized to improve user experience. Users can now proceed to the next configuration step immediately after the file upload completes, while vulnerability report processing now occurs asynchronously in the background. This enhancement eliminates the previous wait time needed for uploading large SAST report files. * **Resolved Issue Classification Bug:** Resolved an issue where vulnerability findings were being incorrectly classified as "Filtered" in the Irrelevant Issues section. The system now correctly applies filtering policies, ensuring that only the user or admin defined issue types are classified as filtered. This fix prevents the misclassification of other vulnerability types, providing more accurate analysis results and better visibility into actionable security findings. * **New fixes released:** * **Semgrep/Opengrep** * [security\_code\_scan.SCS0001-1](https://semgrep.dev/r/security_code_scan.SCS0001-1) (C#) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) (C#) * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) (C#) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) (C#) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) (C#) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) (JavaScript / TypeScript) * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) (Python) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) (Python) * **New FP rules released:** * **Checkmarx** * SQL Injection (C#) * Use of Insufficiently Random Values (C#) * **CodeQL** * [Insecure randomness](https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/) (C#) * **Fortify** * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#C%23%2FVB.NET%2FASP.NET) (C#) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#C%23%2FVB.NET%2FASP.NET) (C#) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#C%23%2FVB.NET%2FASP.NET) (C#) * **Semgrep/Opengrep** * [security\_code\_scan.SCS0001-1](https://semgrep.dev/r/security_code_scan.SCS0001-1) (C#) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) (C#) * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) (C#) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) (C#) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) (C#) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) (JavaScript / TypeScript) * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) (Python) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) (Python) * **Snyk** * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) (C#) * [Use of Insufficiently Random Values](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-87-use-of-insufficiently-random-values) (C#) * **SonarQube** * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) (C#) **July 30, 2025** * **Introducing Adaptive Fixes:** Our AI-generated fixes have significantly matured and evolved beyond their previous "Beta" status. These fixes are now classified as "Adaptive" as they intelligently adapt to your specific coding patterns and style, providing more contextually appropriate solutions that seamlessly integrate with your existing codebase. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#confidence) to learn more. * **New fixes released:** * **Semgrep/Opengrep** * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) (DOCKERFILE) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) (DOCKERFILE) * [lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) (JavaScript / TypeScript) * [express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) (JavaScript / TypeScript) * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) (JavaScript / TypeScript) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) (JavaScript / TypeScript) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) (JavaScript / TypeScript) * javascript.mobb.log\_forging (JavaScript / TypeScript) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) (Python) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) (Python) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) (Python) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) (Python) * **New FP rules released:** * **Checkmarx** * Client DOM Stored XSS (JavaScript / TypeScript) * Client DOM XSS (JavaScript / TypeScript) * Client Potential XSS (JavaScript / TypeScript) * Stored XSS (JavaScript / TypeScript) * [XSS](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062) (Python) * **CodeQL** * [Client-side cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss/) (JavaScript / TypeScript) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) (JavaScript / TypeScript) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) (Python) * [XSS](https://codeql.github.com/codeql-query-help/python/py-reflective-xss/) (Python) * **Fortify** * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) (JavaScript / TypeScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash](https://semgrep.dev/r?q=csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash) (C#) * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) (DOCKERFILE) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) (DOCKERFILE) * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) (JavaScript / TypeScript) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) (JavaScript / TypeScript) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) (JavaScript / TypeScript) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) (JavaScript / TypeScript) * [javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm](https://semgrep.dev/r?q=javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm) (JavaScript / TypeScript) * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) (JavaScript / TypeScript) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) (JavaScript / TypeScript) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) (JavaScript / TypeScript) * [javascript.jssha.jssha-sha1.jssha-sha1](https://semgrep.dev/r?q=javascript.jssha.jssha-sha1.jssha-sha1) (JavaScript / TypeScript) * [javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm](https://semgrep.dev/r?q=javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm) (JavaScript / TypeScript) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) (JavaScript / TypeScript) * [jwt.security.jwt-hardcode.jwt-python-hardcoded-secret](https://semgrep.dev/r?q=python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret) (Python) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) (Python) * [pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret](https://semgrep.dev/r?q=python.pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret) (Python) * [python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) (Python) * [python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) (Python) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) (Python) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) (Python) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) (Python) * [python.lang.security.audit.sha224-hash.sha224-hash](https://semgrep.dev/r?q=python.lang.security.audit.sha224-hash.sha224-hash) (Python) * [python.lang.security.insecure-hash-function.insecure-hash-function](https://semgrep.dev/r?q=python.lang.security.insecure-hash-function.insecure-hash-function) (Python) * [python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2) (Python) * [python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4) (Python) * [python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5) (Python) * [python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1) (Python) * **Snyk** * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) (JavaScript / TypeScript) * Cross Site Scripting (XSS) (Python) * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules) (Python) * **SonarQube** * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) (JavaScript / TypeScript) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) (JavaScript / TypeScript) * [Disabling auto-escaping in template engines is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5247/) (Python) **July 21, 2025** * Added integrations with Linear, you can now create fixes as linear tickets directly through Mobb. Click [here](https://docs.mobb.ai/mobb-user-docs/integrating-with-issue-tracking-systems/linear) to learn more. * **New fixes released:** * **Checkmarx** * Reflected XSS (C#) * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) (Python) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) (Python) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) (Python) * **CodeQL** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) (CPP) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) (Python) * **Datadog** * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection) (Python) * **Fortify** * Cross-Site Scripting: Persistent (C#) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) (C#) * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) (CPP) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) (CPP) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) (Java) * **Semgrep/Opengrep** * java/mobb.pt\_find\_transitives (Java) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) (JavaScript / TypeScript) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) (JavaScript / TypeScript) * (JavaScript / TypeScript) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) (JavaScript / TypeScript) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) (JavaScript / TypeScript) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) (JavaScript / TypeScript) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) (JavaScript / TypeScript) * javascript.mobb.system-information-leak-external (JavaScript / TypeScript) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) (JavaScript / TypeScript) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) (Python) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) (Python) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) (Python) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) (Python) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) (Python) * **Snyk** * Cross-site Scripting (XSS) (C#) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) (Python) * **SonarQube** * [Logging templates should be constant](https://rules.sonarsource.com/csharp/RSPEC-2629/) (C#) * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) (Java) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) (Python) * **New FP rules released:** * **Checkmarx** * Reflected XSS (C#) * Reflected XSS All Clients (C#) * Stored XSS (C#) * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) (Python) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) (Python) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) (Python) * **CodeQL** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) (CPP) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) (Python) * **Datadog** * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection) (Python) * **Fortify** * Cross-Site Scripting: Persistent (C#) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) (C#) * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) (CPP) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) (CPP) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) (Java) * **Semgrep/Opengrep** * java/mobb.pt\_find\_transitives (Java) * (JavaScript / TypeScript) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) (JavaScript / TypeScript) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) (Python) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) (Python) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) (Python) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) (Python) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) (Python) * **Snyk** * Cross-site Scripting (XSS) (C#) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) (Python) * **SonarQube** * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) (Java) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) (Python) **July 7, 2025** * Added new documentation page: [MVS Setup guide for Cursor](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/cursor). * Added a third mode in MVS called `check_for_new_available_fixes`, which continuously scans your project and checks for available fixes. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs#id-3.-check_for_new_available_fixes) to learn more. * **New fixes released:** * **Semgrep/Opengrep** * javascript.lang.security.audit.prototype-pollution-loop-mobb.prototype-pollution-loop-mobb (JavaScript / TypeScript) * [javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop](https://semgrep.dev/r?q=javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop) (JavaScript / TypeScript) * **New FP rules released:** * **Checkmarx** * Path Traversal (C#) * **CodeQL** * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/csharp/cs-path-injection/) (C#) * **Fortify** * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#C%23%2FVB.NET%2FASP.NET) (C#) * [Path Manipulation: Base Path Overwriting](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Base%20Path%20Overwriting#C%23%2FVB.NET%2FASP.NET) (C#) * **Snyk** * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) (C#) * **SonarQube** * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/csharp/RSPEC-2083/) (C#) **June 30, 2025** * Added new documentation page: [MVS Setup guide for IntelliJ IDEA + Copilot](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/intellij-idea-+-github-copilot). * Published the [CodeQL SARIF downloader](https://docs.mobb.ai/mobb-user-docs/integrating-sast-findings/codeql/codeql-sarif-downloader) utility. * [Mobb Vibe Shield](https://vibe.mobb.ai) has officially been added to the [awesome-mcp-servers](https://github.com/punkpeye/awesome-mcp-servers) list. * **New fixes released:** * **Checkmarx** * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) (JavaScript / TypeScript) * **Fortify** * [System Information Leak: External](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=External#C%23%2fVB.NET%2fASP.NET) (C#) * **SonarQube** * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) (JavaScript / TypeScript) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) (JavaScript / TypeScript) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) (JavaScript / TypeScript) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) (JavaScript / TypeScript) * **New FP rules released:** * **Checkmarx** * Client Regex Injection (JavaScript / TypeScript) * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) (JavaScript / TypeScript) * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) (JavaScript / TypeScript) * **CodeQL** * [Inefficient regular expression](https://codeql.github.com/codeql-query-help/javascript/js-redos/) (JavaScript / TypeScript) * [Regular expression injection](https://codeql.github.com/codeql-query-help/javascript/js-regex-injection/) (JavaScript / TypeScript) * **Fortify** * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials) (DEFAULT) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) (DEFAULT) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password) (DEFAULT) * [Password Management: Password in Configuration File](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Configuration%20File) (DEFAULT) * [Password Management: Weak Cryptography](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Weak%20Cryptography) (DEFAULT) * **Snyk** * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-102-regular-expression-denial-of-service-redos) (JavaScript / TypeScript) * No Hardcoded Credentials Test (Python) * **SonarQube** * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/go/RSPEC-2068/) (GO) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) (JavaScript / TypeScript) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) (JavaScript / TypeScript) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) (JavaScript / TypeScript) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) (JavaScript / TypeScript) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/javascript/RSPEC-2631/) (JavaScript / TypeScript) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) (JavaScript / TypeScript) **June 22, 2025** * Added new [documentation page for FP rules](https://docs.mobb.ai/mobb-user-docs/supported-fp-rules). * Added new documentation page: [MVS Setup guide for VS Code + GitHub Copilot](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/vs-code-+-github-copilot) * Added new documentation page: [MVS Setup guide for Visual Studio 2022 + GitHub Copilot](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-vibe-shield-mvs/visual-studio-2022-+-github-copilot) * Issues marked as "Suppressed" in Fortify will be recategorized into the "Irrelevant Issues" section in the fix report. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#issue-categorization-irrelevant-issues) for more details. * **New fixes released:** * **Checkmarx** * Hardcoded password in Connection String (JavaScript / TypeScript) * JWT Use Of Hardcoded Secret (JavaScript / TypeScript) * Secret\_Leak (JavaScript / TypeScript) * Use Of Hardcoded Password (JavaScript / TypeScript) * **CodeQL** * [Hard-coded credentials](https://codeql.github.com/codeql-query-help/javascript/js-hardcoded-credentials/) (JavaScript / TypeScript) * **Fortify** * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials#JavaScript%2FTypeScript) (JavaScript / TypeScript) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#JavaScript%2FTypeScript) (JavaScript / TypeScript) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#JavaScript%2FTypeScript) (JavaScript / TypeScript) * **Semgrep/Opengrep** * [jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret](https://semgrep.dev/r/jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret) (JavaScript / TypeScript) * **Snyk** * [Use of Hardcoded Credentials](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-56-use-of-hardcoded-credentials) (JavaScript / TypeScript) * **SonarQube** * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) (JavaScript / TypeScript) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) (JavaScript / TypeScript) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/RSPEC-2068) (JavaScript / TypeScript) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/RSPEC-2068) (JavaScript / TypeScript) **June 13, 2025** * **Released Mobb Vibe Shield (MVS)** - Mobb Vibe Shield connects to your IDE (via the Mobb MCP Server + your AI-agent) and provides fixes directly in your source code. Click [here](https://vibe.mobb.ai/) to learn more. * **Added full description in PR** generated through Mobb's [Auto-PR feature](https://docs.mobb.ai/mobb-user-docs/administration/fix-policy#automatic-pr). * **Added new REST API endpoint `/reporting/project-aggregated`** for reporting on aggregated data on projects. * Added `convert-to-sarif` mode in the Mobb CLI to better facilitate report processing capabilities of large reports (i.e. multiple repos in a single Fortify FPR report). Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-cli/convert-to-sarif-mode) to learn more. * **Added support for Okta Single Sign-On (SSO)** for organizations that wish to integrate with Mobb using Okta as their identity provider (IdP). Click [here](https://docs.mobb.ai/mobb-user-docs/administration/single-sign-on-sso/connecting-okta-to-mobb) to learn more. * **Added support for `--create-one-pr` flag in Mobb CLI** - When this flag is added (along with the `--auto-pr` flag), auto-pr will create one unified PR with all the available fixes in this analysis. * **Added support for `prStatus` in REST API** endpoint `GET /api/rest/fix-reports/{fixReportId}` * **Added support for Asynchronous Commit** - Mobb will now commit fixes (PRs or direct commits) asynchronously to the user's SCMs. Users no longer have to wait until the PR is completed before navigating away from the commit screen. * **Added support for email notifications and configurations** - Org admins can now configure email notification settings on fix analysis completion, fix commits, or report expiring under Organization Settings -> Notifications. * **New fixes released:** * **Snyk** * [Open Redirect](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules) (Java) * Hardcoded Credential (PHP) * Hardcoded Credential Test (PHP) * Hardcoded Non Crypto Secret (PHP) * Hardcoded Password (PHP) * Hardcoded Password Test (PHP) * [Arbitrary File Write via Archive Extraction (Tar Slip)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) (Python) * **Fortify** * [J2EE Bad Practices: Threads](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Threads) (Java) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect) (Java) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) (PHP) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password+Management\&subcategory=Hardcoded+Password) (PHP) * [Weak Cryptographic Hash: Hardcoded Salt](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash\&subcategory=Hardcoded%20Salt#PHP) (PHP) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#YAML) (YAML) * **Checkmarx** * [Open Redirect](https://deu.ast.checkmarx.net/resourceManagement/presets/description/601/5854466950125120303) (Java) * Hardcoded Salt (PHP) * Use of Hardcoded Cryptographic IV (PHP) * Use Of Hardcoded Password (PHP) * **SonarQube** * ["Preconditions" and logging arguments should not require evaluation](https://next.sonarqube.com/sonarqube/coding_rules?languages=java\&open=java:S2629) (Java) * [Format strings should be used correctly](https://rules.sonarsource.com/java/RSPEC-3457/) (Java) * [Generic exceptions should never be thrown](https://rules.sonarsource.com/java/RSPEC-112/) (Java) * [javasecurity:S5146 HTTP request redirections should not be open to forging attacks](https://next.sonarqube.com/sonarqube/coding_rules?open=javasecurity%3AS5146\&rule_key=javasecurity%3AS5146) (Java) * [Sections of code should not be commented out](https://rules.sonarsource.com/java/RSPEC-125/) (Java) * [Server-side requests should not be vulnerable to traversing attacks](https://rules.sonarsource.com/java/RSPEC-7044/) (Java) * [Try-catch blocks should not be nested](https://rules.sonarsource.com/java/RSPEC-1141/) (Java) * [Unnecessary imports should be removed](https://rules.sonarsource.com/java/RSPEC-1128/) (Java) * [Unused "private" fields should be removed](https://rules.sonarsource.com/java/RSPEC-1068/) (Java) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/typescript/RSPEC-2933/) (JavaScript / TypeScript) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2077/) (JavaScript / TypeScript) * [Sections of code should not be commented out](https://rules.sonarsource.com/typescript/RSPEC-125/) (JavaScript / TypeScript) * [Sections of code should not be commented out](https://rules.sonarsource.com/javascript/RSPEC-125/) (JavaScript / TypeScript) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-5852/) (JavaScript / TypeScript) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-5852/) (JavaScript / TypeScript) * [Variables should be declared explicitly](https://rules.sonarsource.com/javascript/RSPEC-2703/) (JavaScript / TypeScript) * [Credentials should not be hard-coded](https://rules.sonarsource.com/php/RPSEC-6437) (PHP) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/php/RPSEC-2068) (PHP) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/php/RPSEC-6418) (PHP) * ["Exception" and "BaseException" should not be raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S112) (Python) * [Do not name local variables as builtin python functions](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5806) (Python) * [Do not use identity comparisons (is / is not) with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) (Python) * [Properly use string formatting: add all arguments to the format string, don't supply unused arguments](https://rules.sonarsource.com/python/RSPEC-3457/) (Python) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) (Python) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) (Python) * [Sections of code should not be commented out](https://rules.sonarsource.com/python/RSPEC-125/) (Python) * [String literals should not be duplicated](https://rules.sonarsource.com/python/RSPEC-1192/) (Python) * [The "print" statement should not be used](https://rules.sonarsource.com/python/RSPEC-2320/) (Python) * [Unused assignments should be removed](https://rules.sonarsource.com/python/RSPEC-1854/) (Python) * [Wildcard imports should not be used](https://rules.sonarsource.com/python/RSPEC-2208/) (Python) * [Credentials should not be hard-coded](https://rules.sonarsource.com/docker/RSPEC-6437/) (YAML) * [Ensure whitespace in-between braces in template directives](https://rules.sonarsource.com/kubernetes/RSPEC-6893/) (YAML) * **CodeQL** * [Arbitrary file write during tarfile extraction](https://codeql.github.com/codeql-query-help/python/py-tarslip/) (Python) * **Semgrep/Opengrep** * [Cookie Missing HTTP only](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly) (GO) * [lang.security.audit.unvalidated-redirect.unvalidated-redirect](https://semgrep.dev/r?q=java.lang.security.audit.unvalidated-redirect.unvalidated-redirect) (Java) * [spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect](https://semgrep.dev/r?q=java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect) (Java) * javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb (JavaScript / TypeScript) * [lang.security.audit.sqli.node-knex-sqli.node-knex-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-knex-sqli.node-knex-sqli) (JavaScript / TypeScript) * [lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli) (JavaScript / TypeScript) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) (JavaScript / TypeScript) * [python.tarfile-extractall-traversal.tarfile-extractall-traversal](https://semgrep.dev/r?q=python.tarfile-extractall-traversal.tarfile-extractall-traversal) (Python) **May 2, 2025** * Added support for Datadog SAST issues. For more details, visit the supported issues page [here](https://docs.mobb.ai/mobb-user-docs/supported-stable-fixes#list-of-supported-issue-types-for-datadog). * Added support for fixing a large number of issues (100+ commits) in one PR. * New PRs or Commits will display a status message when the PR is ready to be merged. Click [here](https://docs.mobb.ai/mobb-user-docs/more-info/frequently-asked-questions-faq#after-i-click-create-a-pull-request-how-do-i-know-when-its-ready) for more details. * Added ability to identify dev owners (git blame) for all [supported SCMs](https://docs.mobb.ai/mobb-user-docs/getting-started/system-requirements#supported-source-code-management-scm-tools). * Performance improvements when loading large report pages and the dashboard. * **PR agent enhancement -** On top of publishing fixes in GitHub PR comments, our PR agent will indicate when you get false alarms from your SAST tool. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-cli/review-mode#types-of-comments-published-in-the-pr) to learn more. * **New fixes released:** * **Fortify** * [J2EE Bad Practices: Threads](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Threads) (Java) * **Checkmarx** * [Unsafe Object Binding](https://deu.ast.checkmarx.net/resourceManagement/presets/description/915/18167789603095321044) (Java) * **SonarQube** * [Function returns should not be invariant](https://rules.sonarsource.com/javascript/RSPEC-3516/) (JavaScript / TypeScript) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/javascript/RSPEC-1143/) (JavaScript) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/typescript/RSPEC-1143/) (TypeScript) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/javascript/RSPEC-3504/) (JavaScript) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/typescript/RSPEC-3504/) (TypeScript) * [Function parameters' default values should not be modified or assigned](https://rules.sonarsource.com/python/RSPEC-5717/) (Python) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) (Python) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) (Python) * [python:S5795 Identity comparisons should not be used with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) (Python) * **Semgrep/Opengrep** * [go.lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) (GO) * [go.lang.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=go.lang.security.injection.open-redirect.open-redirect) (GO) * [lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) (GO) * [lang.security.audit.sqli.pgx-sqli.pgx-sqli](https://semgrep.dev/r?q=go.lang.security.audit.sqli.pgx-sqli.pgx-sqli) (GO) * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) (GO) * [python.lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=python.lang.security.audit.formatted-sql-query.formatted-sql-query) (Python) * [python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) (Python) * [python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) (Python) * [python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) (Python) * [python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text](https://semgrep.dev/r?q=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text) (Python) * [python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) (Python) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection) (YAML) * **Datadog** * [Avoid user-input file](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/spring-request-file-tainted/) (Java) * [Avoid using printStackTrace()](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-best-practices/avoid-printstacktrace/) (Java) * [MD2, MD4, and MD5 are weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-md5/) (Java) * [Prefer SecureRandom over Random](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/avoid-random/) (Java) * [Prevent path traversal](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/path-traversal/) (Java) * [SHA-1 is a weak hash function](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-sha1/) (Java) * [Avoid setting insecure cookie settings](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-express/insecure-cookie/) (JavaScript / TypeScript) * [Do not use weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-node-security/insecure-hash/) (JavaScript / TypeScript) * [Avoid SQL injections](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/variable-sql-statement-injection/) (Python) * [Do not use an empty list as a default parameter](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/no-empty-list-as-parameter/) (Python) **April 8, 2025** **New stable fixes released:** * **Snyk** * [Insecurely Generated Password](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) (GO) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) (Python) * **Fortify** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Request%20Forgery#Universal) (Python) * **Checkmarx** * Use of Cryptographically Weak PRNG (GO) * **SonarQube** * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/go/impact/security/RSPEC-2245/) (GO) * [String literals should not be duplicated](https://rules.sonarsource.com/java/RSPEC-1192/) (Java) * **Semgrep/Opengrep** * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) (GO) * [python.lang.security.audit.subprocess-shell-true.subprocess-shell-true](https://semgrep.dev/r?q=lang.security.audit.subprocess-shell-true.subprocess-shell-true) (Python) * [python.lang.security.insecure-uuid-version.insecure-uuid-version](https://semgrep.dev/r?q=python.lang.security.insecure-uuid-version.insecure-uuid-version) (Python) **March 17, 2025** * Mobb Azure DevOps Plugin updated: * **Supports `--commit-directly` flag**. This capability allows users to commit fixes directly to a target branch (i.e. source branch of a PR). * **Publishing of Mobb link in the PR comments**: A direct link to the Mobb analysis results is now included in PR comments. * **Publishing of what fix was committed directly in PR comments (if the context is a PR)**: When a fix is committed within a PR context, the details of the fix will be automatically published in the PR comments. * **New stable fixes released:** * **Semgrep/Opengrep** * [gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check](https://semgrep.dev/r?q=go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check) (GO) * [insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification](https://semgrep.dev/r?q=problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification) (GO) * [lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion](https://semgrep.dev/r?q=go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion) (GO) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-md5) (GO) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1) (GO) * [lang.security.audit.crypto.use-of-sha1.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-sha1.use-of-sha1) (Java) **March 13, 2025** * **New stable fixes released:** * **Fortify** * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Java%2FJSP) (Java) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Python) (Python) * **Checkmarx** * [Reversible One Way Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/328/7875786759696254599) (Java) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/15434822379289186737) (Java) * [Client Weak Cryptographic Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/6215771209953606521) (JavaScript / TypeScript) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/16841165964473079218) (JavaScript / TypeScript) * [Information Exposure Through an Error Message](https://deu.ast.checkmarx.net/resourceManagement/presets/description/209/10086633261638473115) (Python) * Reversible One Way Hash (Python) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/10201415834072344741) (Python) * **SonarQube** * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/java/RSPEC-4790/) (Java) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-4790/) (JavaScript / TypeScript) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4790/) (Python) * **CodeQL** * [Use of a broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/) (Java) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) (Java) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) (Java) * [Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insufficient-password-hash/) (JavaScript / TypeScript) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/javascript/js-weak-cryptographic-algorithm/) (JavaScript / TypeScript) * [Information exposure through an exception](https://codeql.github.com/codeql-query-help/python/py-stack-trace-exposure/) (Python) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/python/py-weak-cryptographic-algorithm/) (Python) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/python/py-weak-sensitive-data-hashing/) (Python) * **Semgrep/Opengrep** * [lang.security.audit.crypto.use-of-md5.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-md5.use-of-md5) (Java) **February 13, 2025** * **Introducing Clean Fix & False Positive Detection!**\ Now, when you generate a fix analysis report, Mobb automatically categorizes issues into **Fixable Issues, Irrelevant Issues (False Positives), and Remaining Issues**. Click [here](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#issue-categorization) to learn more. * **New stable fixes released:** * **Snyk** * [Clear Text Logging](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) (GO) * [Improper Certificate Validation](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) (GO) * **Fortify** * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Golang) (GO) * **Checkmarx** * Use Of Hardcoded Password (C#) * Log Forging (GO) * Privacy Violation (GO) * SSL Verification Bypass (GO) * Frameable loging page (Java) * Privacy Violation (Java) * SQL Injection Evasion Attack (Java) * Stored Absolute Path Traversal (Java) * Use of Hard coded Cryptographic Key (Java) * [Filtering Sensitive Logs](https://deu.ast.checkmarx.net/resourceManagement/presets/description/532/12553559161661395516) (Python) * [Hardcoded Secrets](https://deu.ast.checkmarx.net/) (Python) * [Privacy Violation](https://deu.ast.checkmarx.net/resourceManagement/presets/description/359/15091406806124960160) (Python) * [Unchecked Input for Loop Condition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/606/12513885999564608658) (Python) * [Default Definer Rights in Package or Object Definition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/265/10300492436975582020) (SQL) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/1186085178286193418) (SQL) * **SonarQube** * [Loop boundaries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-6680/) (Python) * **CodeQL** * [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/go/go-clear-text-logging/) (GO) * [Disabled TLS certificate check](https://codeql.github.com/codeql-query-help/go/go-disabled-certificate-check/) (GO) * [Incomplete regular expression for hostnames](https://codeql.github.com/codeql-query-help/go/go-incomplete-hostname-regexp/) (GO) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/go/go-log-injection/) (GO) * **Semgrep** * [lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion](https://semgrep.dev/r?q=lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion) (GO) * [lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) (Java) * [lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) (Java) **January 21, 2025** * **New stable fixes released:** * **Snyk** * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) (Snyk/Python) * **Fortify** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Request%20Forgery#Universal) (Fortify/JavaScript / TypeScript) * [Privacy Violation: Autocomplete](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation\&subcategory=Autocomplete#Universal) (Fortify/JavaScript / TypeScript) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#PHP) (Fortify/PHP) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Python) (Fortify/Python) * **Checkmarx** * Use of Non Cryptographic Random (Checkmarx/PHP) * [ReDoS Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/400/5043137136712896099) (Checkmarx/Python) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/631642030927601838) (Checkmarx/Python) * **SonarQube** * [Unassigned members should be removed](https://rules.sonarsource.com/csharp/RSPEC-3459/) (SonarQube/C#) * [Unread "private" fields should be removed](https://rules.sonarsource.com/csharp/RSPEC-4487/) (SonarQube/C#) * [Unused private types or members should be removed](https://rules.sonarsource.com/csharp/RSPEC-1144/) (SonarQube/C#) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/php/type/Security%20Hotspot/RSPEC-2245/) (SonarQube/PHP) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-3649/) (SonarQube/Python) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2077/) (SonarQube/Python) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/python/RSPEC-2631/) (SonarQube/Python) * **CodeQL** * [Regular expression injection](https://codeql.github.com/codeql-query-help/python/py-regex-injection/) (CodeQL/Python) * [SQL query built from user-controlled sources](https://codeql.github.com/codeql-query-help/python/py-sql-injection/) (CodeQL/Python) * **Semgrep** * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) (Semgrep/JavaScript/TypeScript) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) (Semgrep/JavaScript/TypeScript) * [django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=django.security.injection.tainted-sql-string.tainted-sql-string) (Semgrep/Python) * [flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=flask.security.injection.tainted-sql-string.tainted-sql-string) (Semgrep/Python) * [lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=lang.security.audit.formatted-sql-query.formatted-sql-query) (Semgrep/Python) * [lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) (Semgrep/Python) * [python.django.security.django-no-csrf-token.django-no-csrf-token](https://semgrep.dev/r?q=python.django.security.django-no-csrf-token.django-no-csrf-token) (Semgrep/Python) * [python.django.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=python.django.security.injection.open-redirect.open-redirect) (Semgrep/Python) * [sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) (Semgrep/Python) **January 7, 2025** * **Mobb REST API:** You can now interact with Mobb using REST API published [here](https://apidocs.mobb.ai). A walkthrough guide on how to get started is also available [here](https://docs.mobb.ai/mobb-user-docs/mobb-rest-api). * **New stable fixes released:** * **Snyk** * [Incomplete URL sanitization](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) (Snyk/Python) * **Fortify** * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Python) (Fortify/Python) * **SonarQube** * [Composite format strings should be used correctly](https://rules.sonarsource.com/csharp/RSPEC-3457/) (SonarQube/C#) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/csharp/RSPEC-2933/) (SonarQube/C#) * [Not specifying a timeout for regular expressions is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6444/) (SonarQube/C#) * [Sections of code should not be commented out](https://rules.sonarsource.com/csharp/RSPEC-125/) (SonarQube/C#) * **CodeQL** * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/python/py-incomplete-url-substring-sanitization/) (CodeQL/Python) * **Semgrep** * [java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly) (Semgrep/Java) * [java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag) (Semgrep/Java) * [java.lang.security.audit.crypto.weak-random.weak-random](https://semgrep.dev/r?q=java.lang.security.audit.crypto.weak-random.weak-random) (Semgrep/Java) * [java.servlets.security.cookie-issecure-false.cookie-issecure-false](https://semgrep.dev/r?q=java.servlets.security.cookie-issecure-false.cookie-issecure-false) (Semgrep/Java) * [html.security.audit.missing-integrity.missing-integrity](https://semgrep.dev/r?q=html.security.audit.missing-integrity.missing-integrity) (Semgrep/JavaScript) * [python.flask.security.audit.debug-enabled.debug-enabled](https://semgrep.dev/r?q=python.flask.security.audit.debug-enabled.debug-enabled) (Semgrep/Python) [Click here to see all currently supported fixes](https://docs.mobb.ai/mobb-user-docs/supported-stable-fixes) **December 13, 2024** * **Project-level fix policy:** You can now define fix policies such as issue types and automatic PRs on a per-project basis. Click [here](https://docs.mobb.ai/mobb-user-docs/administration/project-settings#project-level-fix-policy) to learn more, or watch the demo video [here](https://www.youtube.com/watch?v=xsxovAeNeyg\&t=1s). * **Committing fixes directly to a target branch:** When committing fixes back to your repository, you now have the option to commit it as a Pull Request or directly to a branch of your choice. Watch the demo video [here](https://www.youtube.com/watch?v=hrZ0SsgxvSs). * **New stable fixes released:** * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) (CodeQL/JavaScript) * [SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/17810866942529238742) (Checkmarx/Python) * [Reflected\_XSS\_All\_Clients](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062) (Checkmarx/Python) * Cross Site Scripting (XSS) (Snyk/Python) * [Client DOM Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/17736946413799343054) (Checkmarx/avaScript) * [Dynamically executing code is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-1523/) (SonarQube/Javascript) * [Password In Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/2940637487142405047) (Checkmarx/Java) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5147/) (SonarQube/TypeScript) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-5147/) (SonarQube/JavaScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) (Fortify/Python) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) (Checkmarx/Python) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) (SonarQube/JavaScript) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) (SonarQube/TypeScript) * [Heap Inspection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/244/17574178213563422629) (Checkmarx/C#) * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) (Checkmarx/C#) **November 6, 2024** * **New Integrations Page added to Mobb UI:** The integrations page allows you to centrally manage all your connections between Mobb and external code platforms, SAST tools, and CI/CD tools. Click [here](https://docs.mobb.ai/mobb-user-docs/administration/integrations-page) to learn more. * **New Mobb plugin has been released for Azure DevOps Pipeline:** Click [here](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/azure-devops) to learn more. Visual Studio Marketplace link can be found [here](https://marketplace.visualstudio.com/items?itemName=Mobb.mobb-autofixer-task). * **New guide on integrating Mobb in Bitbucket Pipeline**: Click [here](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/bitbucket-pipeline) to learn more. * **New guide on generating SonarQube SAST JSON Reports**: Click [here](https://docs.mobb.ai/mobb-user-docs/integrating-sast-findings/sonarqube/generating-a-sonarqube-sast-report) to learn more. * **New guide on generating Checkmarx One JSON Reports**: Click [here](https://docs.mobb.ai/mobb-user-docs/integrating-sast-findings/checkmarx/generating-checkmarx-one-json-report-from-cli) to learn more. * **New stable fixes released:** * Unsafe\_Object\_Binding (Checkmarx/C#) * Log\_Forging (Checkmarx/Python) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5145/) (SonarQube/Python) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#Java%2fJSP) (Fortify/Java) * Use\_of\_Non\_Cryptographic\_Random (Checkmarx/Java) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/java/RSPEC-2245/) (SonarQube/Java) * CSRF (Checkmarx/C#) * [Public constants and fields initialized at declaration should be "static final" rather than merely "final"](https://rules.sonarsource.com/java/RSPEC-1170/) (SonarQube/Java) * [Null pointers should not be dereferenced](https://rules.sonarsource.com/csharp/RSPEC-2259/) (SonarQube/C#) * [Hardcoded Domain in HTML](https://vulncat.fortify.com/en/detail?category=Hardcoded%20Domain%20in%20HTML#Universal) (Fortify/JavaScript) * Client\_Hardcoded\_Domain (Checkmarx/JavaScript) * [Using remote artifacts without integrity checks is security-sensitive](https://rules.sonarsource.com/html/type/Security%20Hotspot/RSPEC-5725/) (SonarQube/JavaScript) * [Inclusion of functionality from an untrusted source](https://codeql.github.com/codeql-query-help/javascript/js-functionality-from-untrusted-source/) (CodeQL/JavaScript) * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) (Checkmarx/JavaScript) * Client\_Regex\_Injection (Checkmarx/JavaScript) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) (SonarQube/JavaScript) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) (SonarQube/TypeScript) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-3649/) (SonarQube/JavaScript) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-3649/) (SonarQube/TypeScript) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) (SonarQube/JavaScript) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) (SonarQube/TypeScript) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) (SonarQube/JavaScript) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2245/) (SonarQube/JavaScript) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/typescript/RSPEC-6105/) (SonarQube/JavaScript) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) (SonarQube/JavaScript) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5146/) (SonarQube/TypeScript) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/javascript/RSPEC-6535/) (SonarQube/JavaScript) * [Cookie Security: HTTPOnly not Set on Application Cookie](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=HTTPOnly%20not%20Set%20on%20Application%20Cookie) (Fortify/C#) * [Cookie Security: Session Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Session%20Cookie%20not%20Sent%20Over%20SSL#C%23%2FVB.NET%2FASP.NET) (Fortify/C#) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Python) (Fortify/Python) * [Path Traversal](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) (Snyk/Python) * Path\_Traversal (Checkmarx/Python) * [path-injection](https://codeql.github.com/codeql-query-help/python/py-path-injection/) (CodeQL/Python) * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) (Fortify/JavaScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) (Fortify/JavaScript) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) (Fortify/JavaScript) * [Improper\_Resource\_Shutdown\_or\_Release ](https://deu.ast.checkmarx.net/resourceManagement/presets/description/404/4929335937220202619)(Checkmarx/Python) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) (SonarQube/JavaScript) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/typescript/RSPEC-6535/) (SonarQube/JavaScript) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-5145/) (SonarQube/C#) * [Prototype Pollution](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) (Snyk/JavaScript) * [Allocation of Resources Without Limits or Throttling](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) (Snyk/JavaScript) **September 24, 2024** * **Auto-PR feature added to Mobb UI**: This feature allows users to specify which issue types Mobb will automatically create a Pull Request (PR) in your Source Code Repository as soon as a fix becomes available. Click [here](https://docs.mobb.ai/mobb-user-docs/administration/fix-policy#automatic-pr) for more details. * **Archive Fixes and Fix Rating:** Users can now provide feedback directly to the Mobb support team through the fix feedback system on the Fix page. Users can specify if a particular fix is good and provide their reasons. Click [here](https://docs.mobb.ai/mobb-user-docs/more-info/providing-fix-feedback) for more details. * **New stable fixes released:** * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules) (Snyk/Python) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-6096/) (SonarQube/C#) * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) (SonarQube/C#) * Insufficient Logging of Exceptions (Checkmarx/C#) * [Missing rate limiting](https://codeql.github.com/codeql-query-help/javascript/js-missing-rate-limiting/) (CodeQL/JavaScript) **September 10, 2024** * **Added Support for Multi-tenant Mobb Broker**: Mobb Broker allows users to connect their Mobb organization to self-hosted (private) source code repositories that are not publicly accessible from the internet. You can now deploy the Mobb broker if your organization is on the multi-tenant mobb platform. Click [here ](https://docs.mobb.ai/mobb-user-docs/more-info/mobb-broker)for more details. * **New stable fixes released:** * Code Correctness: Erroneous String Compare (Erroneous String Compare) for Java (Fortify) * use\_of\_wrong\_operator\_in\_string\_comparison (Erroneous String Compare) for Java (Checkmarx) * Strings and Boxed types should be compared using "equals()" (Erroneous String Compare) for Java (Sonarqube) * Poor Error Handling: Empty Catch Block for Java (Fortify) * unvalidated\_arguments\_of\_public\_methods (Unvalidated Public Method Argument) for C# (Checkmarx) * J2EE Bad Practices: Leftover Debug Code (Leftover Debug Code) for Java (Checkmarx) * Poor Style: Confusing Naming (Confusing Naming) for Java (Fortify) * confusing\_naming (Confusing Naming) for Java (Checkmarx) * Debug Mode Enabled (Debug Enabled) for Python (Snyk) * flask-debug (Debug Enabled) for Python (CodeQL) * debug\_enabled (Debug Enabled) for Python (Checkmarx) * Delivering code in production with debug features activated is security-sensitive (Debug Enabled) for Python (Sonarqube) * information\_exposure\_via\_headers (Information Exposure via Headers) for C# (Checkmarx) * Code Correctness: Class Does Not Implement Equivalence Method (Class Does Not Implement Equivalence Method) for Java (Fortify) * declaration\_of\_catch\_for\_generic\_exception (Overly Broad Catch) for C# (Checkmarx) **August 19, 2024** * **Added support for GitHub Enterprise**: This capability allows users to run fix analysis and commit fixed code directly to GitHub Enterprise. See [system requirements](https://docs.mobb.ai/mobb-user-docs/getting-started/system-requirements#support-for-on-premise-scm-tools) for more details. * **Added new "Fixing Effort" feature**: Fixing effort is an indicator that informs users the level of effort required to complete the fix. Click [here ](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#fixing-effort)for more details. * Added `Effort` as a new filter in the fix report filter list. See all available filters [here](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#search-and-filtering-fixes). * **New stable fixes released:** * Unreleased Resource: Streams (Improper Resource Shutdown or Release) for Java (Fortify) * Poor Style: Value Never Read (Value Never Read) for Java (Fortify) * Improper Resource Shutdown or Release for Java (SonarQube) * Value Never Read for Java (SonarQube) * Improper\_Resource\_Shutdown\_or\_Release (Improper Resource Shutdown or Release) for Java (Checkmarx) **August 5, 2024** * **SonarQube support added:** Mobb now supports SonarQube SAST results! You can now upload SonarQube reports to Mobb to generate fixes. Click [here](https://docs.mobb.ai/mobb-user-docs/supported-stable-fixes#list-of-supported-issue-types-for-sonarqube) to see a detailed list of currently supported fixes for SonarQube. * **Mobb Fixer adds packages:** For JS-based projects, if a fix requires the use of an additional package, Mobb will automatically add that package as part of the fix to `package.json` file. * **Resend user invitation**: Added the option to resend an invitation email to someone to join your organization. Click [here ](https://docs.mobb.ai/mobb-user-docs/administration/user-management#re-send-another-invitation-email-to-a-pending-user)for more details. * **Quick analysis rerun**: When an existing fix is improved, the Mobb app will indicate this status and offer to rerun the analysis in one click. After the rerun, the app will indicate which fixes are "fresh", meaning these are new compared to the previous run. Click [here ](https://docs.mobb.ai/mobb-user-docs/more-info/frequently-asked-questions-faq#how-can-i-tell-if-a-new-fix-is-available)for more information. * Added `Severity` and `Language` as filters in the fix report filter list. See all available filters [here](https://docs.mobb.ai/mobb-user-docs/getting-started/working-with-the-fix-report#search-and-filtering-fixes). * Experimental fixes are now disabled by default. You can go to Settings -> Fix Policy to turn them back on. * **New stable fixes released:** * Zip Slip for Java (SonarQube) * SQL Injection for Java (SonarQube) * Log Forging for Java (SonarQube) * XSS for Java (SonarQube) * Regex Injection for Java (SonarQube) * Insecure Cookie for Java (SonarQube) * Cookie is not HttpOnly for Java (SonarQube) * Path Traversal for Java (SonarQube) * Cookie is not HttpOnly for Java (SonarQube) * Regex Injection for JavaScript (SonarQube) * Insecure Randomness for JavaScript (SonarQube) * Dead Code: Unused Field for C# (Fortify) * Header Manipulation: Cookies for C# (Fortify) * XSS for C# (Checkmarx) **June 27, 2024** * Added support for Bitbucket Cloud - Support for SCM tools (GitHub, GitLab, Azure Repo, Bitbucket Cloud) allows users to automatically run fix analysis by connecting their repository to Mobb, as well as allowing Mobb to automatically generate Pull Requests (PRs) back into the repository. Follow the [onboarding guide](https://docs.mobb.ai/mobb-user-docs/getting-started/onboarding-guide/running-mobb-against-your-own-code) to learn more about how to submit a fix analysis for your repository. * Added Live Support via Intercom in the Mobb UI * **New stable fixes released:** * Information\_Exposure\_Through\_an\_Error\_Message (System Information Leak) for C# (Checkmarx) * Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (Insecure Cookie) for JavaScript (Snyk) * Clear text transmission of sensitive cookie (Insecure Cookie) for JavaScript (CodeQL) * Cookie Security: Cookie not Sent Over SSL (Insecure Cookie) for JavaScript (Fortify) * Unprotected\_Cookie (Insecure Cookie) for JavaScript (Checkmarx) * SQL Injection for Python (Snyk) * Unchecked\_Input\_For\_Loop\_Condition (Unchecked Loop Condition) for JavaScript (Checkmarx) * insufficient\_logging\_of\_sensitive\_operations (Insufficient Logging of Sensitive Operations) for C# (Checkmarx) * Incomplete URL scheme check for JavaScript (CodeQL) * Prototype-polluting assignment (Prototype Pollution) for JavaScript (CodeQL) **June 4, 2024** * UI Update - Project Settings**:** This capability provides additional granularity for setting user permissions on a per-project basis. To see more details, [click here](https://docs.mobb.ai/mobb-user-docs/administration/project-settings). * New documentation page: [Mobb GitHub Fixer for CxOne](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/github-actions/github-fixer-for-cxone) * **New stable fixes released:** * Arbitrary File Write via Archive Extraction (Zip Slip) for Java (Snyk) * Arbitrary File Write via Archive Extraction (Zip Slip) for C# (Snyk) * Arbitrary file access during archive extraction (Zip Slip) for Java (CodeQL) * Arbitrary file access during archive extraction (Zip Slip) for C# (CodeQL) * Path Manipulation: Zip Entry Overwrite (Zip Slip) for Java (Fortify) * Path Manipulation: Zip Entry Overwrite (Zip Slip) for C# (Fortify) * Hard-coded credentials (Hardcoded Secrets) for JavaScript (CodeQL) * Value\_Shadowing (Value Shadowing) for C# (Checkmarx) * Use\_of\_Insufficiently\_Random\_Values (Insecure Randomness) for C# (Checkmarx) * Use of Insufficiently Random Values (Insecure Randomness) for C# (Snyk) * Insecure Randomness for C# (CodeQL) * Insecure Randomness for C# (Fortify) **May 20, 2024** * Mobb Fixer for Checkmarx One GitHub Integration is now available. This integration monitors for \`Checkmarx comments in a PR and generates a Mobb Fixer comment in the same PR. [Click here](https://github.com/marketplace/actions/cx-mobb-fixer-action) for more details. * UI Update: Hovering over an issue name will display the original issue name from the SAST provider. [Click here](https://docs.mobb.ai/mobb-user-docs/more-info/frequently-asked-questions-faq#mobb-uses-a-different-naming-convention-for-the-issue-name-compared-to-the-ones-used-by-my-sast-prov) for more details. * **New stable fixes released:** * HttpOnlyCookies for C# (Checkmarx) * Trust Boundary Violation for C# (Fortify) * Privacy Violation for Java (Fortify) **May 7, 2024** * UI Update: Hovering over the (!) tooltip next to the text "Available Fixes" on the Fix Report page will display the number of issues fixed compared to the total issues found in the vulnerability report. [Click here](https://docs.mobb.ai/mobb-user-docs/more-info/frequently-asked-questions-faq#how-do-i-find-out-the-total-number-of-fixes-available-compared-to-the-total-number-of-findings-in-th) for more details. * **New stable fixes released:** * Just One of Equals() and GetHashCode() Defined for C# (Fortify) * Missing equals or hashcode method for C# (Checkmarx) * WCF Misconfiguration: Throttling Not Enabled for C# (Fortify) * WCF Misconfiguration: Insufficient Logging for C# (Fortify) * Incomplete regular expression for hostnames for JavaScript (CodeQL) * Overly permissive regular expression range for JavaScript (CodeQL) **April 29, 2024** * Mobb Broker is now released. Mobb Broker allows users to connect their Mobb organization to self-hosted source code repositories that are not publicly accessible from the internet. Please [contact us](mailto:support@mobb.ai) to learn more. * New feature: Project pages now include a "Language" column that contains information about the languages present in the project. * New feature: All previously committed fixes now include a "[Link to commit](https://docs.mobb.ai/mobb-user-docs/more-info/frequently-asked-questions-faq#how-do-i-find-out-which-fixes-were-previously-committed)". * New feature: All fixes now contain a "Fix Info" tab, which contains additional info about the issue as well as fix instructions for the issue type. * A new integration guide has been added for [Atlassian Bamboo](https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/bamboo) along with a sample integration YAML * **New stable fixes released:** * Header Manipulation for C# (Fortify) * Password in Comment for XML (Fortify) * Server-Side Request Forgery for JavaScript (Checkmarx) [Click here to see all currently supported fixes](https://docs.mobb.ai/mobb-user-docs/supported-stable-fixes) **April 18, 2024** * **New stable fixes released:** * Prototype Pollution for JavaScript * Insecure Cookie for C# * Cookie is not HttpOnly for C# * Locale Dependent Comparison for Java * Race Condition Format Flaw for Java * Server-Side Request Forgery for C# * Regular Expression Injection for Java * XSS for Java * Poor Error Handling: Overly Broad Catch for Java * Non-final Public Static Field for Java * Missing HSTS Header for JavaScript * Dead Code: Unused Field for Java **March 19, 2024** * **New stable fixes released:** * Insecure Randomness for Javascript * SQL Injection for Javascript * Command Injection for Javascript * Hardcoded Secrets in Javascript * Deprecated Function in Javascript * Null Dereference for C# * Trust Boundary Violations for C# **March 4, 2024** * Dashboard with **ROI Calculator** and **Fix Management** capabilities released. To see more details, [click here](https://docs.mobb.ai/mobb-user-docs/mobb-dashboard). * The ROI Calculator identifies the total savings in cost and time from all automatic fixes * Fix Management dashboard identifies the most effective fixes available across all your projects **Feb 26, 2024** * **New stable fixes released:** * Path Traversal for JavaScript * Error Condition Without Action for Java * HTML Comment in JSP for Java * Default Definer Rights in Package or Object Definition for SQL * Improper Exception Handling for C# * Improper Resource Shutdown or Release for C# **Feb 7, 2024** * **New stable fixes released:** * jQuery Deprecated Symbols for JavaScript * Missing iframe Sandbox for JavaScript * Unsafe Target Blank for JavaScript * Missing Anti-forgery Validation for C# * Insecure Binder Configuration for C# * Overly Broad Catch for C# **January 29, 2024** * **New stable fix released:** * Missing Check Against Null for Java * Added support for Azure Repo - Mobb can now automatically retrieve source code from Azure Repo and commit directly back to an Azure Repo once a fix is ready. **January 26, 2024** * **New stable fix released:** * Regex Injection for Java added **January 22, 2024** * Mobb Fixer for GitHub is released (Demo video for [CodeQL](https://www.youtube.com/watch?v=95QJGxj1TV8), [Checkmarx](https://www.youtube.com/watch?v=8GpKO63dMfY), [Snyk](https://www.youtube.com/watch?v=QFo-QPom7UA)) **Jan 15, 2024** * **New stable fix released:** * Trust Boundary Violations added * Log Forging for Snyk and Fortify added **January 9, 2024** * Mobb is now on the [Snyk Integrations page](https://snyk.io/integrations/?type=vulnerability-management) **December, 2023** * Mobb is now on the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-vcj6wcdxpmvwa?sr=0-1\&ref_=beagle\&applicationId=AWSMPContessa) **May, 2022** * Bugsy launched.\ Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb, the first vendor-agnostic automated security vulnerability remediation tool. [Click here to learn more](https://www.npmjs.com/package/mobbdev). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/whats-new-with-mobb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.