Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page

Was this helpful?

What's New with Mobb

Discover recently released features, news and product announcements!

PreviousWhat is Mobb?NextSupported Fixes

Last updated 3 days ago

Was this helpful?

Subscribe to "What's new with Mobb" newsletters by sending us an email at

May 2, 2025

  • Added support for Datadog SAST issues. For more details, visit the supported issues page .

  • Added support for fixing a large number of issues (100+ commits) in one PR.

  • New PRs or Commits will display a status message when the PR is ready to be merged. Click for more details.

  • Added ability to identify dev owners (git blame) for all .

  • Performance improvements when loading large report pages and the dashboard.

  • PR agent enhancement - On top of publishing fixes in GitHub PR comments, our PR agent will indicate when you get false alarms from your SAST tool. Click to learn more.

  • New fixes released:

    • Fortify

      • (Java)

    • Checkmarx

      • (Java)

    • SonarQube

      • (JavaScript / TypeScript)

      • (JavaScript)

      • (TypeScript)

      • (JavaScript)

      • (TypeScript)

      • (Python)

      • (Python)

      • (Python)

      • (Python)

    • Semgrep/Opengrep

      • (GO)

      • (GO)

      • (GO)

      • (GO)

      • (GO)

      • (Python)

      • (Python)

      • (Python)

      • (Python)

      • (Python)

      • (Python)

      • (YAML)

    • Datadog

      • (Java)

      • (Java)

      • (Java)

      • (Java)

      • (Java)

      • (Java)

      • (JavaScript / TypeScript)

      • (JavaScript / TypeScript)

      • (Python)

      • (Python)

April 8, 2025

New stable fixes released:

  • Snyk

  • Fortify

  • Checkmarx

    • Use of Cryptographically Weak PRNG (GO)

  • SonarQube

  • Semgrep/Opengrep

March 17, 2025

  • Mobb Azure DevOps Plugin updated:

    • Supports --commit-directly flag. This capability allows users to commit fixes directly to a target branch (i.e. source branch of a PR).

    • Publishing of Mobb link in the PR comments: A direct link to the Mobb analysis results is now included in PR comments.

    • Publishing of what fix was committed directly in PR comments (if the context is a PR): When a fix is committed within a PR context, the details of the fix will be automatically published in the PR comments.

  • New stable fixes released:

    • Semgrep/Opengrep

March 13, 2025

  • New stable fixes released:

    • Fortify

    • Checkmarx

      • Reversible One Way Hash (Python)

    • SonarQube

    • CodeQL

    • Semgrep/Opengrep

February 13, 2025

  • New stable fixes released:

    • Snyk

    • Fortify

    • Checkmarx

      • Use Of Hardcoded Password (C#)

      • Log Forging (GO)

      • Privacy Violation (GO)

      • SSL Verification Bypass (GO)

      • Frameable loging page (Java)

      • Privacy Violation (Java)

      • SQL Injection Evasion Attack (Java)

      • Stored Absolute Path Traversal (Java)

      • Use of Hard coded Cryptographic Key (Java)

    • SonarQube

    • CodeQL

    • Semgrep

January 21, 2025

  • New stable fixes released:

    • Snyk

    • Fortify

    • Checkmarx

      • Use of Non Cryptographic Random (Checkmarx/PHP)

    • SonarQube

    • CodeQL

    • Semgrep

January 7, 2025

  • New stable fixes released:

    • Snyk

    • Fortify

    • SonarQube

    • CodeQL

    • Semgrep

December 13, 2024

  • New stable fixes released:

    • Cross Site Scripting (XSS) (Snyk/Python)

November 6, 2024

  • New stable fixes released:

    • Unsafe_Object_Binding (Checkmarx/C#)

    • Log_Forging (Checkmarx/Python)

    • Use_of_Non_Cryptographic_Random (Checkmarx/Java)

    • CSRF (Checkmarx/C#)

    • Client_Hardcoded_Domain (Checkmarx/JavaScript)

    • Client_Regex_Injection (Checkmarx/JavaScript)

    • Path_Traversal (Checkmarx/Python)

September 24, 2024

  • New stable fixes released:

    • Insufficient Logging of Exceptions (Checkmarx/C#)

September 10, 2024

  • New stable fixes released:

    • Code Correctness: Erroneous String Compare (Erroneous String Compare) for Java (Fortify)

    • use_of_wrong_operator_in_string_comparison (Erroneous String Compare) for Java (Checkmarx)

    • Strings and Boxed types should be compared using "equals()" (Erroneous String Compare) for Java (Sonarqube)

    • Poor Error Handling: Empty Catch Block for Java (Fortify)

    • unvalidated_arguments_of_public_methods (Unvalidated Public Method Argument) for C# (Checkmarx)

    • J2EE Bad Practices: Leftover Debug Code (Leftover Debug Code) for Java (Checkmarx)

    • Poor Style: Confusing Naming (Confusing Naming) for Java (Fortify)

    • confusing_naming (Confusing Naming) for Java (Checkmarx)

    • Debug Mode Enabled (Debug Enabled) for Python (Snyk)

    • flask-debug (Debug Enabled) for Python (CodeQL)

    • debug_enabled (Debug Enabled) for Python (Checkmarx)

    • Delivering code in production with debug features activated is security-sensitive (Debug Enabled) for Python (Sonarqube)

    • information_exposure_via_headers (Information Exposure via Headers) for C# (Checkmarx)

    • Code Correctness: Class Does Not Implement Equivalence Method (Class Does Not Implement Equivalence Method) for Java (Fortify)

    • declaration_of_catch_for_generic_exception (Overly Broad Catch) for C# (Checkmarx)

August 19, 2024

  • New stable fixes released:

    • Unreleased Resource: Streams (Improper Resource Shutdown or Release) for Java (Fortify)

    • Poor Style: Value Never Read (Value Never Read) for Java (Fortify)

    • Improper Resource Shutdown or Release for Java (SonarQube)

    • Value Never Read for Java (SonarQube)

    • Improper_Resource_Shutdown_or_Release (Improper Resource Shutdown or Release) for Java (Checkmarx)

August 5, 2024

  • Mobb Fixer adds packages: For JS-based projects, if a fix requires the use of an additional package, Mobb will automatically add that package as part of the fix to package.json file.

  • Experimental fixes are now disabled by default. You can go to Settings -> Fix Policy to turn them back on.

  • New stable fixes released:

    • Zip Slip for Java (SonarQube)

    • SQL Injection for Java (SonarQube)

    • Log Forging for Java (SonarQube)

    • XSS for Java (SonarQube)

    • Regex Injection for Java (SonarQube)

    • Insecure Cookie for Java (SonarQube)

    • Cookie is not HttpOnly for Java (SonarQube)

    • Path Traversal for Java (SonarQube)

    • Cookie is not HttpOnly for Java (SonarQube)

    • Regex Injection for JavaScript (SonarQube)

    • Insecure Randomness for JavaScript (SonarQube)

    • Dead Code: Unused Field for C# (Fortify)

    • Header Manipulation: Cookies for C# (Fortify)

    • XSS for C# (Checkmarx)

June 27, 2024

  • Added Live Support via Intercom in the Mobb UI

  • New stable fixes released:

    • Information_Exposure_Through_an_Error_Message (System Information Leak) for C# (Checkmarx)

    • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (Insecure Cookie) for JavaScript (Snyk)

    • Clear text transmission of sensitive cookie (Insecure Cookie) for JavaScript (CodeQL)

    • Cookie Security: Cookie not Sent Over SSL (Insecure Cookie) for JavaScript (Fortify)

    • Unprotected_Cookie (Insecure Cookie) for JavaScript (Checkmarx)

    • SQL Injection for Python (Snyk)

    • Unchecked_Input_For_Loop_Condition (Unchecked Loop Condition) for JavaScript (Checkmarx)

    • insufficient_logging_of_sensitive_operations (Insufficient Logging of Sensitive Operations) for C# (Checkmarx)

    • Incomplete URL scheme check for JavaScript (CodeQL)

    • Prototype-polluting assignment (Prototype Pollution) for JavaScript (CodeQL)

June 4, 2024

  • New stable fixes released:

    • Arbitrary File Write via Archive Extraction (Zip Slip) for Java (Snyk)

    • Arbitrary File Write via Archive Extraction (Zip Slip) for C# (Snyk)

    • Arbitrary file access during archive extraction (Zip Slip) for Java (CodeQL)

    • Arbitrary file access during archive extraction (Zip Slip) for C# (CodeQL)

    • Path Manipulation: Zip Entry Overwrite (Zip Slip) for Java (Fortify)

    • Path Manipulation: Zip Entry Overwrite (Zip Slip) for C# (Fortify)

    • Hard-coded credentials (Hardcoded Secrets) for JavaScript (CodeQL)

    • Value_Shadowing (Value Shadowing) for C# (Checkmarx)

    • Use_of_Insufficiently_Random_Values (Insecure Randomness) for C# (Checkmarx)

    • Use of Insufficiently Random Values (Insecure Randomness) for C# (Snyk)

    • Insecure Randomness for C# (CodeQL)

    • Insecure Randomness for C# (Fortify)

May 20, 2024

  • New stable fixes released:

    • HttpOnlyCookies for C# (Checkmarx)

    • Trust Boundary Violation for C# (Fortify)

    • Privacy Violation for Java (Fortify)

May 7, 2024

  • New stable fixes released:

    • Just One of Equals() and GetHashCode() Defined for C# (Fortify)

    • Missing equals or hashcode method for C# (Checkmarx)

    • WCF Misconfiguration: Throttling Not Enabled for C# (Fortify)

    • WCF Misconfiguration: Insufficient Logging for C# (Fortify)

    • Incomplete regular expression for hostnames for JavaScript (CodeQL)

    • Overly permissive regular expression range for JavaScript (CodeQL)

April 29, 2024

  • New feature: Project pages now include a "Language" column that contains information about the languages present in the project.

  • New feature: All fixes now contain a "Fix Info" tab, which contains additional info about the issue as well as fix instructions for the issue type.

  • New stable fixes released:

    • Header Manipulation for C# (Fortify)

    • Password in Comment for XML (Fortify)

    • Server-Side Request Forgery for JavaScript (Checkmarx)

April 18, 2024

  • New stable fixes released:

    • Prototype Pollution for JavaScript

    • Insecure Cookie for C#

    • Cookie is not HttpOnly for C#

    • Locale Dependent Comparison for Java

    • Race Condition Format Flaw for Java

    • Server-Side Request Forgery for C#

    • Regular Expression Injection for Java

    • XSS for Java

    • Poor Error Handling: Overly Broad Catch for Java

    • Non-final Public Static Field for Java

    • Missing HSTS Header for JavaScript

    • Dead Code: Unused Field for Java

March 19, 2024

  • New stable fixes released:

    • Insecure Randomness for Javascript

    • SQL Injection for Javascript

    • Command Injection for Javascript

    • Hardcoded Secrets in Javascript

    • Deprecated Function in Javascript

    • Null Dereference for C#

    • Trust Boundary Violations for C#

March 4, 2024

    • The ROI Calculator identifies the total savings in cost and time from all automatic fixes

    • Fix Management dashboard identifies the most effective fixes available across all your projects

Feb 26, 2024

  • New stable fixes released:

    • Path Traversal for JavaScript

    • Error Condition Without Action for Java

    • HTML Comment in JSP for Java

    • Default Definer Rights in Package or Object Definition for SQL

    • Improper Exception Handling for C#

    • Improper Resource Shutdown or Release for C#

Feb 7, 2024

  • New stable fixes released:

    • jQuery Deprecated Symbols for JavaScript

    • Missing iframe Sandbox for JavaScript

    • Unsafe Target Blank for JavaScript

    • Missing Anti-forgery Validation for C#

    • Insecure Binder Configuration for C#

    • Overly Broad Catch for C#

January 29, 2024

  • New stable fix released:

    • Missing Check Against Null for Java

  • Added support for Azure Repo - Mobb can now automatically retrieve source code from Azure Repo and commit directly back to an Azure Repo once a fix is ready.

January 26, 2024

  • New stable fix released:

    • Regex Injection for Java added

January 22, 2024

Jan 15, 2024

  • New stable fix released:

    • Trust Boundary Violations added

    • Log Forging for Snyk and Fortify added

January 9, 2024

December, 2023

May, 2022

(GO)

(Python)

(Python)

(GO)

(Java)

(GO)

(Python)

(Python)

(GO)

(GO)

(GO)

(GO)

(GO)

(Java)

(Java)

(Python)

(Java)

(Java)

(JavaScript / TypeScript)

(JavaScript / TypeScript)

(Python)

(Python)

(Java)

(JavaScript / TypeScript)

(Python)

(Java)

(Java)

(Java)

(JavaScript / TypeScript)

(JavaScript / TypeScript)

(Python)

(Python)

(Python)

(Java)

Introducing Clean Fix & False Positive Detection! Now, when you generate a fix analysis report, Mobb automatically categorizes issues into Fixable Issues, Irrelevant Issues (False Positives), and Remaining Issues. Click to learn more.

(GO)

(GO)

(GO)

(Python)

(Python)

(Python)

(Python)

(SQL)

(SQL)

(Python)

(GO)

(GO)

(GO)

(GO)

(GO)

(Java)

(Java)

(Snyk/Python)

(Fortify/JavaScript / TypeScript)

(Fortify/JavaScript / TypeScript)

(Fortify/PHP)

(Fortify/Python)

(Checkmarx/Python)

(Checkmarx/Python)

(SonarQube/C#)

(SonarQube/C#)

(SonarQube/C#)

(SonarQube/PHP)

(SonarQube/Python)

(SonarQube/Python)

(SonarQube/Python)

(CodeQL/Python)

(CodeQL/Python)

(Semgrep/JavaScript/TypeScript)

(Semgrep/JavaScript/TypeScript)

(Semgrep/Python)

(Semgrep/Python)

(Semgrep/Python)

(Semgrep/Python)

(Semgrep/Python)

(Semgrep/Python)

(Semgrep/Python)

Mobb REST API: You can now interact with Mobb using REST API published . A walkthrough guide on how to get started is also available .

(Snyk/Python)

(Fortify/Python)

(SonarQube/C#)

(SonarQube/C#)

(SonarQube/C#)

(SonarQube/C#)

(CodeQL/Python)

(Semgrep/Java)

(Semgrep/Java)

(Semgrep/Java)

(Semgrep/Java)

(Semgrep/JavaScript)

(Semgrep/Python)

Project-level fix policy: You can now define fix policies such as issue types and automatic PRs on a per-project basis. Click to learn more, or watch the demo video .

Committing fixes directly to a target branch: When committing fixes back to your repository, you now have the option to commit it as a Pull Request or directly to a branch of your choice. Watch the demo video .

(CodeQL/JavaScript)

(Checkmarx/Python)

(Checkmarx/Python)

(Checkmarx/avaScript)

(SonarQube/Javascript)

(Checkmarx/Java)

(SonarQube/TypeScript)

(SonarQube/JavaScript)

(Fortify/Python)

(Checkmarx/Python)

(SonarQube/JavaScript)

(SonarQube/TypeScript)

(Checkmarx/C#)

(Checkmarx/C#)

New Integrations Page added to Mobb UI: The integrations page allows you to centrally manage all your connections between Mobb and external code platforms, SAST tools, and CI/CD tools. Click to learn more.

New Mobb plugin has been released for Azure DevOps Pipeline: Click to learn more. Visual Studio Marketplace link can be found .

New guide on integrating Mobb in Bitbucket Pipeline: Click to learn more.

New guide on generating SonarQube SAST JSON Reports: Click to learn more.

New guide on generating Checkmarx One JSON Reports: Click to learn more.

(SonarQube/Python)

(Fortify/Java)

(SonarQube/Java)

(SonarQube/Java)

(SonarQube/C#)

(Fortify/JavaScript)

(SonarQube/JavaScript)

(CodeQL/JavaScript)

(Checkmarx/JavaScript)

(SonarQube/JavaScript)

(SonarQube/TypeScript)

(SonarQube/JavaScript)

(SonarQube/TypeScript)

(SonarQube/JavaScript)

(SonarQube/TypeScript)

(SonarQube/JavaScript)

(SonarQube/JavaScript)

(SonarQube/JavaScript)

(SonarQube/JavaScript)

(SonarQube/TypeScript)

(SonarQube/JavaScript)

(Fortify/C#)

(Fortify/C#)

(Fortify/Python)

(Snyk/Python)

(CodeQL/Python)

(Fortify/JavaScript)

(Fortify/JavaScript)

(Fortify/JavaScript)

(Checkmarx/Python)

(SonarQube/JavaScript)

(SonarQube/JavaScript)

(SonarQube/C#)

(Snyk/JavaScript)

(Snyk/JavaScript)

Auto-PR feature added to Mobb UI: This feature allows users to specify which issue types Mobb will automatically create a Pull Request (PR) in your Source Code Repository as soon as a fix becomes available. Click for more details.

Archive Fixes and Fix Rating: Users can now provide feedback directly to the Mobb support team through the fix feedback system on the Fix page. Users can specify if a particular fix is good and provide their reasons. Click for more details.

(Snyk/Python)

(SonarQube/C#)

(SonarQube/C#)

(CodeQL/JavaScript)

Added Support for Multi-tenant Mobb Broker: Mobb Broker allows users to connect their Mobb organization to self-hosted (private) source code repositories that are not publicly accessible from the internet. You can now deploy the Mobb broker if your organization is on the multi-tenant mobb platform. Click for more details.

Added support for GitHub Enterprise: This capability allows users to run fix analysis and commit fixed code directly to GitHub Enterprise. See for more details.

Added new "Fixing Effort" feature: Fixing effort is an indicator that informs users the level of effort required to complete the fix. Click for more details.

Added Effort as a new filter in the fix report filter list. See all available filters .

SonarQube support added: Mobb now supports SonarQube SAST results! You can now upload SonarQube reports to Mobb to generate fixes. Click to see a detailed list of currently supported fixes for SonarQube.

Resend user invitation: Added the option to resend an invitation email to someone to join your organization. Click for more details.

Quick analysis rerun: When an existing fix is improved, the Mobb app will indicate this status and offer to rerun the analysis in one click. After the rerun, the app will indicate which fixes are "fresh", meaning these are new compared to the previous run. Click for more information.

Added Severity and Language as filters in the fix report filter list. See all available filters .

Added support for Bitbucket Cloud - Support for SCM tools (GitHub, GitLab, Azure Repo, Bitbucket Cloud) allows users to automatically run fix analysis by connecting their repository to Mobb, as well as allowing Mobb to automatically generate Pull Requests (PRs) back into the repository. Follow the to learn more about how to submit a fix analysis for your repository.

UI Update - Project Settings: This capability provides additional granularity for setting user permissions on a per-project basis. To see more details, .

New documentation page:

Mobb Fixer for Checkmarx One GitHub Integration is now available. This integration monitors for `Checkmarx comments in a PR and generates a Mobb Fixer comment in the same PR. for more details.

UI Update: Hovering over an issue name will display the original issue name from the SAST provider. for more details.

UI Update: Hovering over the (!) tooltip next to the text "Available Fixes" on the Fix Report page will display the number of issues fixed compared to the total issues found in the vulnerability report. for more details.

Mobb Broker is now released. Mobb Broker allows users to connect their Mobb organization to self-hosted source code repositories that are not publicly accessible from the internet. Please to learn more.

New feature: All previously committed fixes now include a "".

A new integration guide has been added for along with a sample integration YAML

Dashboard with ROI Calculator and Fix Management capabilities released. To see more details, .

Mobb Fixer for GitHub is released (Demo video for , , )

Mobb is now on the

Mobb is now on the

Bugsy launched. Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb, the first vendor-agnostic automated security vulnerability remediation tool. .

Insecurely Generated Password
Command Injection
Cross-Site Request Forgery
Using pseudorandom number generators (PRNGs) is security-sensitive
String literals should not be duplicated
lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter
python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
python.lang.security.insecure-uuid-version.insecure-uuid-version
gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check
insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification
lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1
lang.security.audit.crypto.use-of-sha1.use-of-sha1
Weak Cryptographic Hash
Weak Cryptographic Hash
Reversible One Way Hash
Use Of Broken Or Risky Cryptographic Algorithm
Client Weak Cryptographic Hash
Use Of Broken Or Risky Cryptographic Algorithm
Information Exposure Through an Error Message
Use Of Broken Or Risky Cryptographic Algorithm
Using weak hashing algorithms is security-sensitive
Using weak hashing algorithms is security-sensitive
Using weak hashing algorithms is security-sensitive
Use of a broken or risky cryptographic algorithm
Use of a potentially broken or risky cryptographic algorithm
Use of a potentially broken or risky cryptographic algorithm
Insecure randomness
Use of a broken or weak cryptographic algorithm
Information exposure through an exception
Use of a broken or weak cryptographic algorithm
Use of a broken or weak cryptographic hashing algorithm on sensitive data
lang.security.audit.crypto.use-of-md5.use-of-md5
Clear Text Logging
Improper Certificate Validation
Log Forging
Filtering Sensitive Logs
Hardcoded Secrets
Privacy Violation
Unchecked Input for Loop Condition
Default Definer Rights in Package or Object Definition
Second Order SQL Injection
Loop boundaries should not be vulnerable to injection attacks
Clear-text logging of sensitive information
Disabled TLS certificate check
Incomplete regular expression for hostnames
Log entries created from user input
lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
lang.security.audit.sqli.jdbc-sqli.jdbc-sqli
lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request
Regular Expression Denial of Service (ReDoS)
Cross-Site Request Forgery
Privacy Violation: Autocomplete
Insecure Randomness
SQL Injection
ReDoS Injection
Second Order SQL Injection
Unassigned members should be removed
Unread "private" fields should be removed
Unused private types or members should be removed
Using pseudorandom number generators (PRNGs) is security-sensitive
Database queries should not be vulnerable to injection attacks
Formatting SQL queries is security-sensitive
Regular expressions should not be vulnerable to Denial of Service attacks
Regular expression injection
SQL query built from user-controlled sources
javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
django.security.injection.tainted-sql-string.tainted-sql-string
flask.security.injection.tainted-sql-string.tainted-sql-string
lang.security.audit.formatted-sql-query.formatted-sql-query
lang.security.audit.sqli.psycopg-sqli.psycopg-sqli
python.django.security.django-no-csrf-token.django-no-csrf-token
python.django.security.injection.open-redirect.open-redirect
sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query
here
here
Incomplete URL sanitization
System Information Leak: Internal
Composite format strings should be used correctly
Fields that are only assigned in the constructor should be "readonly"
Not specifying a timeout for regular expressions is security-sensitive
Sections of code should not be commented out
Incomplete URL substring sanitization
java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly
java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag
java.lang.security.audit.crypto.weak-random.weak-random
java.servlets.security.cookie-issecure-false.cookie-issecure-false
html.security.audit.missing-integrity.missing-integrity
python.flask.security.audit.debug-enabled.debug-enabled
Click here to see all currently supported fixes
here
Reflected cross-site scripting
SQL Injection
Reflected_XSS_All_Clients
Client DOM Stored Code Injection
Dynamically executing code is security-sensitive
Password In Comment
NoSQL operations should not be vulnerable to injection attacks
NoSQL operations should not be vulnerable to injection attacks
Password Management: Password in Comment
Password in Comment
I/O function calls should not be vulnerable to path injection attacks
I/O function calls should not be vulnerable to path injection attacks
Heap Inspection
Missing HSTS Header
here
here
here
here
here
here
Logging should not be vulnerable to injection attacks
Insecure Randomness
Using pseudorandom number generators (PRNGs) is security-sensitive
Public constants and fields initialized at declaration should be "static final" rather than merely "final"
Null pointers should not be dereferenced
Hardcoded Domain in HTML
Using remote artifacts without integrity checks is security-sensitive
Inclusion of functionality from an untrusted source
Missing HSTS Header
DOM updates should not lead to cross-site scripting (XSS) attacks
DOM updates should not lead to cross-site scripting (XSS) attacks
Database queries should not be vulnerable to injection attacks
Database queries should not be vulnerable to injection attacks
Hard-coded credentials are security-sensitive
Hard-coded credentials are security-sensitive
Regular expressions should not be vulnerable to Denial of Service attacks
Using pseudorandom number generators (PRNGs) is security-sensitive
DOM updates should not lead to open redirect vulnerabilities
HTTP request redirections should not be open to forging attacks
HTTP request redirections should not be open to forging attacks
Unnecessary character escapes should be removed
Cookie Security: HTTPOnly not Set on Application Cookie
Cookie Security: Session Cookie not Sent Over SSL
Path Manipulation
Path Traversal
path-injection
Cross-Site Scripting: DOM
Cross-Site Scripting: Self
Open Redirect
Improper_Resource_Shutdown_or_Release
DOM updates should not lead to open redirect vulnerabilities
Unnecessary character escapes should be removed
Logging should not be vulnerable to injection attacks
Prototype Pollution
Allocation of Resources Without Limits or Throttling
here
Jinja auto-escape is set to false
Extracting archives should not lead to zip slip vulnerabilities
Secure random number generators should not output predictable values
Missing rate limiting
here
onboarding guide
click here
Mobb GitHub Fixer for CxOne
Click here
contact us
Atlassian Bamboo
Click here to see all currently supported fixes
click here
CodeQL
Checkmarx
Snyk
Snyk Integrations page
AWS Marketplace
Click here to learn more
system requirements
here
Click here
Click here
Link to commit
support@mobb.ai
J2EE Bad Practices: Threads
Unsafe Object Binding
Function returns should not be invariant
Jump statements should not occur in "finally" blocks
Jump statements should not occur in "finally" blocks
Variables should be declared with "let" or "const"
Variables should be declared with "let" or "const"
Function parameters' default values should not be modified or assigned
python:S5443 Using publicly writable directories is security-sensitive
python:S5754 "SystemExit" should be re-raised
python:S5795 Identity comparisons should not be used with cached types
go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
go.lang.security.injection.open-redirect.open-redirect
lang.security.audit.dangerous-exec-command.dangerous-exec-command
lang.security.audit.sqli.pgx-sqli.pgx-sqli
lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter
python.lang.security.audit.formatted-sql-query.formatted-sql-query
python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli
python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5
python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query
yaml.github-actions.security.run-shell-injection.run-shell-injection
Avoid user-input file
Avoid using printStackTrace()
MD2, MD4, and MD5 are weak hash functions
Prefer SecureRandom over Random
Prevent path traversal
SHA-1 is a weak hash function
Avoid setting insecure cookie settings
Do not use weak hash functions
Avoid SQL injections
Do not use an empty list as a default parameter
supported SCMs
here
here
here
here
here
here
here
here
here
here
here
here