What's New with Mobb
Discover recently released features, news and product announcements!
June 13, 2025
Released Mobb Vibe Shield (MVS) - Mobb Vibe Shield connects to your IDE (via the Mobb MCP Server + your AI-agent) and provides fixes directly in your source code. Click here to learn more.
Added full description in PR generated through Mobb's Auto-PR feature.
Added new REST API endpoint
/reporting/project-aggregatedfor reporting on aggregated data on projects.Added
convert-to-sarifmode in the Mobb CLI to better facilitate report processing capabilities of large reports (i.e. multiple repos in a single Fortify FPR report). Click here to learn more.Added support for Okta Single Sign-On (SSO) for organizations that wish to integrate with Mobb using Okta as their identity provider (IdP). Click here to learn more.
Added support for
--create-one-prflag in Mobb CLI - When this flag is added (along with the--auto-prflag), auto-pr will create one unified PR with all the available fixes in this analysis.Added support for
prStatusin REST API endpointGET /api/rest/fix-reports/{fixReportId}Added support for Asynchronous Commit - Mobb will now commit fixes (PRs or direct commits) asynchronously to the user's SCMs. Users no longer have to wait until the PR is completed before navigating away from the commit screen.
Added support for email notifications and configurations - Org admins can now configure email notification settings on fix analysis completion, fix commits, or report expiring under Organization Settings -> Notifications.
New fixes released:
Snyk
Open Redirect (Java)
Hardcoded Credential (PHP)
Hardcoded Credential Test (PHP)
Hardcoded Non Crypto Secret (PHP)
Hardcoded Password (PHP)
Hardcoded Password Test (PHP)
Checkmarx
Open Redirect (Java)
Hardcoded Salt (PHP)
Use of Hardcoded Cryptographic IV (PHP)
Use Of Hardcoded Password (PHP)
SonarQube
Fields that are only assigned in the constructor should be "readonly" (JavaScript / TypeScript)
Formatting SQL queries is security-sensitive (JavaScript / TypeScript)
Sections of code should not be commented out (JavaScript / TypeScript)
Sections of code should not be commented out (JavaScript / TypeScript)
Using slow regular expressions is security-sensitive (JavaScript / TypeScript)
Using slow regular expressions is security-sensitive (JavaScript / TypeScript)
Variables should be declared explicitly (JavaScript / TypeScript)
Unused assignments should be removed (Python)
Wildcard imports should not be used (Python)
CodeQL
Semgrep/Opengrep
javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb (JavaScript / TypeScript)
lang.security.audit.sqli.node-knex-sqli.node-knex-sqli (JavaScript / TypeScript)
lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli (JavaScript / TypeScript)
mobb.security.audit.express-check-cmdi (JavaScript / TypeScript)
May 2, 2025
Added support for Datadog SAST issues. For more details, visit the supported issues page here.
Added support for fixing a large number of issues (100+ commits) in one PR.
New PRs or Commits will display a status message when the PR is ready to be merged. Click here for more details.
Added ability to identify dev owners (git blame) for all supported SCMs.
Performance improvements when loading large report pages and the dashboard.
PR agent enhancement - On top of publishing fixes in GitHub PR comments, our PR agent will indicate when you get false alarms from your SAST tool. Click here to learn more.
New fixes released:
Fortify
J2EE Bad Practices: Threads (Java)
Checkmarx
Unsafe Object Binding (Java)
SonarQube
Function returns should not be invariant (JavaScript / TypeScript)
Jump statements should not occur in "finally" blocks (JavaScript)
Jump statements should not occur in "finally" blocks (TypeScript)
Variables should be declared with "let" or "const" (JavaScript)
Variables should be declared with "let" or "const" (TypeScript)
Semgrep/Opengrep
Datadog
Avoid user-input file (Java)
Prevent path traversal (Java)
Avoid setting insecure cookie settings (JavaScript / TypeScript)
Do not use weak hash functions (JavaScript / TypeScript)
Avoid SQL injections (Python)
April 8, 2025
New stable fixes released:
Snyk
Command Injection (Python)
Fortify
Cross-Site Request Forgery (Python)
Checkmarx
Use of Cryptographically Weak PRNG (GO)
March 17, 2025
Mobb Azure DevOps Plugin updated:
Supports
--commit-directlyflag. This capability allows users to commit fixes directly to a target branch (i.e. source branch of a PR).Publishing of Mobb link in the PR comments: A direct link to the Mobb analysis results is now included in PR comments.
Publishing of what fix was committed directly in PR comments (if the context is a PR): When a fix is committed within a PR context, the details of the fix will be automatically published in the PR comments.
New stable fixes released:
Semgrep/Opengrep
March 13, 2025
New stable fixes released:
Fortify
Weak Cryptographic Hash (Java)
Weak Cryptographic Hash (Python)
Checkmarx
Reversible One Way Hash (Java)
Client Weak Cryptographic Hash (JavaScript / TypeScript)
Use Of Broken Or Risky Cryptographic Algorithm (JavaScript / TypeScript)
Reversible One Way Hash (Python)
SonarQube
Using weak hashing algorithms is security-sensitive (JavaScript / TypeScript)
CodeQL
Insecure randomness (JavaScript / TypeScript)
Use of a broken or weak cryptographic algorithm (JavaScript / TypeScript)
Semgrep/Opengrep
February 13, 2025
Introducing Clean Fix & False Positive Detection! Now, when you generate a fix analysis report, Mobb automatically categorizes issues into Fixable Issues, Irrelevant Issues (False Positives), and Remaining Issues. Click here to learn more.
New stable fixes released:
Snyk
Clear Text Logging (GO)
Fortify
Log Forging (GO)
Checkmarx
Use Of Hardcoded Password (C#)
Log Forging (GO)
Privacy Violation (GO)
SSL Verification Bypass (GO)
Frameable loging page (Java)
Privacy Violation (Java)
SQL Injection Evasion Attack (Java)
Stored Absolute Path Traversal (Java)
Use of Hard coded Cryptographic Key (Java)
Filtering Sensitive Logs (Python)
Hardcoded Secrets (Python)
Privacy Violation (Python)
Unchecked Input for Loop Condition (Python)
SonarQube
January 21, 2025
New stable fixes released:
Snyk
Regular Expression Denial of Service (ReDoS) (Snyk/Python)
Fortify
Cross-Site Request Forgery (Fortify/JavaScript / TypeScript)
Privacy Violation: Autocomplete (Fortify/JavaScript / TypeScript)
Insecure Randomness (Fortify/PHP)
SQL Injection (Fortify/Python)
Checkmarx
Use of Non Cryptographic Random (Checkmarx/PHP)
ReDoS Injection (Checkmarx/Python)
Second Order SQL Injection (Checkmarx/Python)
SonarQube
Unassigned members should be removed (SonarQube/C#)
Unread "private" fields should be removed (SonarQube/C#)
Unused private types or members should be removed (SonarQube/C#)
Database queries should not be vulnerable to injection attacks (SonarQube/Python)
Formatting SQL queries is security-sensitive (SonarQube/Python)
Regular expressions should not be vulnerable to Denial of Service attacks (SonarQube/Python)
CodeQL
Regular expression injection (CodeQL/Python)
SQL query built from user-controlled sources (CodeQL/Python)
Semgrep
javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape (Semgrep/JavaScript/TypeScript)
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring (Semgrep/JavaScript/TypeScript)
django.security.injection.tainted-sql-string.tainted-sql-string (Semgrep/Python)
flask.security.injection.tainted-sql-string.tainted-sql-string (Semgrep/Python)
lang.security.audit.formatted-sql-query.formatted-sql-query (Semgrep/Python)
lang.security.audit.sqli.psycopg-sqli.psycopg-sqli (Semgrep/Python)
python.django.security.django-no-csrf-token.django-no-csrf-token (Semgrep/Python)
python.django.security.injection.open-redirect.open-redirect (Semgrep/Python)
January 7, 2025
New stable fixes released:
Snyk
Incomplete URL sanitization (Snyk/Python)
Fortify
System Information Leak: Internal (Fortify/Python)
SonarQube
Composite format strings should be used correctly (SonarQube/C#)
Sections of code should not be commented out (SonarQube/C#)
CodeQL
Incomplete URL substring sanitization (CodeQL/Python)
Semgrep
java.lang.security.audit.crypto.weak-random.weak-random (Semgrep/Java)
html.security.audit.missing-integrity.missing-integrity (Semgrep/JavaScript)
python.flask.security.audit.debug-enabled.debug-enabled (Semgrep/Python)
December 13, 2024
Committing fixes directly to a target branch: When committing fixes back to your repository, you now have the option to commit it as a Pull Request or directly to a branch of your choice. Watch the demo video here.
New stable fixes released:
Reflected cross-site scripting (CodeQL/JavaScript)
SQL Injection (Checkmarx/Python)
Reflected_XSS_All_Clients (Checkmarx/Python)
Cross Site Scripting (XSS) (Snyk/Python)
Client DOM Stored Code Injection (Checkmarx/avaScript)
Dynamically executing code is security-sensitive (SonarQube/Javascript)
Password In Comment (Checkmarx/Java)
NoSQL operations should not be vulnerable to injection attacks (SonarQube/TypeScript)
NoSQL operations should not be vulnerable to injection attacks (SonarQube/JavaScript)
Password Management: Password in Comment (Fortify/Python)
Password in Comment (Checkmarx/Python)
I/O function calls should not be vulnerable to path injection attacks (SonarQube/JavaScript)
I/O function calls should not be vulnerable to path injection attacks (SonarQube/TypeScript)
Heap Inspection (Checkmarx/C#)
Missing HSTS Header (Checkmarx/C#)
November 6, 2024
New Integrations Page added to Mobb UI: The integrations page allows you to centrally manage all your connections between Mobb and external code platforms, SAST tools, and CI/CD tools. Click here to learn more.
New guide on integrating Mobb in Bitbucket Pipeline: Click here to learn more.
New guide on generating SonarQube SAST JSON Reports: Click here to learn more.
New guide on generating Checkmarx One JSON Reports: Click here to learn more.
New stable fixes released:
Unsafe_Object_Binding (Checkmarx/C#)
Log_Forging (Checkmarx/Python)
Logging should not be vulnerable to injection attacks (SonarQube/Python)
Insecure Randomness (Fortify/Java)
Use_of_Non_Cryptographic_Random (Checkmarx/Java)
Using pseudorandom number generators (PRNGs) is security-sensitive (SonarQube/Java)
CSRF (Checkmarx/C#)
Null pointers should not be dereferenced (SonarQube/C#)
Hardcoded Domain in HTML (Fortify/JavaScript)
Client_Hardcoded_Domain (Checkmarx/JavaScript)
Using remote artifacts without integrity checks is security-sensitive (SonarQube/JavaScript)
Inclusion of functionality from an untrusted source (CodeQL/JavaScript)
Missing HSTS Header (Checkmarx/JavaScript)
Client_Regex_Injection (Checkmarx/JavaScript)
DOM updates should not lead to cross-site scripting (XSS) attacks (SonarQube/JavaScript)
DOM updates should not lead to cross-site scripting (XSS) attacks (SonarQube/TypeScript)
Database queries should not be vulnerable to injection attacks (SonarQube/JavaScript)
Database queries should not be vulnerable to injection attacks (SonarQube/TypeScript)
Hard-coded credentials are security-sensitive (SonarQube/JavaScript)
Hard-coded credentials are security-sensitive (SonarQube/TypeScript)
Regular expressions should not be vulnerable to Denial of Service attacks (SonarQube/JavaScript)
Using pseudorandom number generators (PRNGs) is security-sensitive (SonarQube/JavaScript)
DOM updates should not lead to open redirect vulnerabilities (SonarQube/JavaScript)
HTTP request redirections should not be open to forging attacks (SonarQube/JavaScript)
HTTP request redirections should not be open to forging attacks (SonarQube/TypeScript)
Unnecessary character escapes should be removed (SonarQube/JavaScript)
Cookie Security: Session Cookie not Sent Over SSL (Fortify/C#)
Path Manipulation (Fortify/Python)
Path Traversal (Snyk/Python)
Path_Traversal (Checkmarx/Python)
path-injection (CodeQL/Python)
Cross-Site Scripting: DOM (Fortify/JavaScript)
Cross-Site Scripting: Self (Fortify/JavaScript)
Open Redirect (Fortify/JavaScript)
Improper_Resource_Shutdown_or_Release (Checkmarx/Python)
DOM updates should not lead to open redirect vulnerabilities (SonarQube/JavaScript)
Unnecessary character escapes should be removed (SonarQube/JavaScript)
Logging should not be vulnerable to injection attacks (SonarQube/C#)
Prototype Pollution (Snyk/JavaScript)
Allocation of Resources Without Limits or Throttling (Snyk/JavaScript)
September 24, 2024
Auto-PR feature added to Mobb UI: This feature allows users to specify which issue types Mobb will automatically create a Pull Request (PR) in your Source Code Repository as soon as a fix becomes available. Click here for more details.
Archive Fixes and Fix Rating: Users can now provide feedback directly to the Mobb support team through the fix feedback system on the Fix page. Users can specify if a particular fix is good and provide their reasons. Click here for more details.
New stable fixes released:
Jinja auto-escape is set to false (Snyk/Python)
Insufficient Logging of Exceptions (Checkmarx/C#)
Missing rate limiting (CodeQL/JavaScript)
September 10, 2024
Added Support for Multi-tenant Mobb Broker: Mobb Broker allows users to connect their Mobb organization to self-hosted (private) source code repositories that are not publicly accessible from the internet. You can now deploy the Mobb broker if your organization is on the multi-tenant mobb platform. Click here for more details.
New stable fixes released:
Code Correctness: Erroneous String Compare (Erroneous String Compare) for Java (Fortify)
use_of_wrong_operator_in_string_comparison (Erroneous String Compare) for Java (Checkmarx)
Strings and Boxed types should be compared using "equals()" (Erroneous String Compare) for Java (Sonarqube)
Poor Error Handling: Empty Catch Block for Java (Fortify)
unvalidated_arguments_of_public_methods (Unvalidated Public Method Argument) for C# (Checkmarx)
J2EE Bad Practices: Leftover Debug Code (Leftover Debug Code) for Java (Checkmarx)
Poor Style: Confusing Naming (Confusing Naming) for Java (Fortify)
confusing_naming (Confusing Naming) for Java (Checkmarx)
Debug Mode Enabled (Debug Enabled) for Python (Snyk)
flask-debug (Debug Enabled) for Python (CodeQL)
debug_enabled (Debug Enabled) for Python (Checkmarx)
Delivering code in production with debug features activated is security-sensitive (Debug Enabled) for Python (Sonarqube)
information_exposure_via_headers (Information Exposure via Headers) for C# (Checkmarx)
Code Correctness: Class Does Not Implement Equivalence Method (Class Does Not Implement Equivalence Method) for Java (Fortify)
declaration_of_catch_for_generic_exception (Overly Broad Catch) for C# (Checkmarx)
August 19, 2024
Added support for GitHub Enterprise: This capability allows users to run fix analysis and commit fixed code directly to GitHub Enterprise. See system requirements for more details.
Added new "Fixing Effort" feature: Fixing effort is an indicator that informs users the level of effort required to complete the fix. Click here for more details.
Added
Effortas a new filter in the fix report filter list. See all available filters here.New stable fixes released:
Unreleased Resource: Streams (Improper Resource Shutdown or Release) for Java (Fortify)
Poor Style: Value Never Read (Value Never Read) for Java (Fortify)
Improper Resource Shutdown or Release for Java (SonarQube)
Value Never Read for Java (SonarQube)
Improper_Resource_Shutdown_or_Release (Improper Resource Shutdown or Release) for Java (Checkmarx)
August 5, 2024
SonarQube support added: Mobb now supports SonarQube SAST results! You can now upload SonarQube reports to Mobb to generate fixes. Click here to see a detailed list of currently supported fixes for SonarQube.
Mobb Fixer adds packages: For JS-based projects, if a fix requires the use of an additional package, Mobb will automatically add that package as part of the fix to
package.jsonfile.Resend user invitation: Added the option to resend an invitation email to someone to join your organization. Click here for more details.
Quick analysis rerun: When an existing fix is improved, the Mobb app will indicate this status and offer to rerun the analysis in one click. After the rerun, the app will indicate which fixes are "fresh", meaning these are new compared to the previous run. Click here for more information.
Added
SeverityandLanguageas filters in the fix report filter list. See all available filters here.Experimental fixes are now disabled by default. You can go to Settings -> Fix Policy to turn them back on.
New stable fixes released:
Zip Slip for Java (SonarQube)
SQL Injection for Java (SonarQube)
Log Forging for Java (SonarQube)
XSS for Java (SonarQube)
Regex Injection for Java (SonarQube)
Insecure Cookie for Java (SonarQube)
Cookie is not HttpOnly for Java (SonarQube)
Path Traversal for Java (SonarQube)
Cookie is not HttpOnly for Java (SonarQube)
Regex Injection for JavaScript (SonarQube)
Insecure Randomness for JavaScript (SonarQube)
Dead Code: Unused Field for C# (Fortify)
Header Manipulation: Cookies for C# (Fortify)
XSS for C# (Checkmarx)
June 27, 2024
Added support for Bitbucket Cloud - Support for SCM tools (GitHub, GitLab, Azure Repo, Bitbucket Cloud) allows users to automatically run fix analysis by connecting their repository to Mobb, as well as allowing Mobb to automatically generate Pull Requests (PRs) back into the repository. Follow the onboarding guide to learn more about how to submit a fix analysis for your repository.
Added Live Support via Intercom in the Mobb UI
New stable fixes released:
Information_Exposure_Through_an_Error_Message (System Information Leak) for C# (Checkmarx)
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (Insecure Cookie) for JavaScript (Snyk)
Clear text transmission of sensitive cookie (Insecure Cookie) for JavaScript (CodeQL)
Cookie Security: Cookie not Sent Over SSL (Insecure Cookie) for JavaScript (Fortify)
Unprotected_Cookie (Insecure Cookie) for JavaScript (Checkmarx)
SQL Injection for Python (Snyk)
Unchecked_Input_For_Loop_Condition (Unchecked Loop Condition) for JavaScript (Checkmarx)
insufficient_logging_of_sensitive_operations (Insufficient Logging of Sensitive Operations) for C# (Checkmarx)
Incomplete URL scheme check for JavaScript (CodeQL)
Prototype-polluting assignment (Prototype Pollution) for JavaScript (CodeQL)
June 4, 2024
UI Update - Project Settings: This capability provides additional granularity for setting user permissions on a per-project basis. To see more details, click here.
New documentation page: Mobb GitHub Fixer for CxOne
New stable fixes released:
Arbitrary File Write via Archive Extraction (Zip Slip) for Java (Snyk)
Arbitrary File Write via Archive Extraction (Zip Slip) for C# (Snyk)
Arbitrary file access during archive extraction (Zip Slip) for Java (CodeQL)
Arbitrary file access during archive extraction (Zip Slip) for C# (CodeQL)
Path Manipulation: Zip Entry Overwrite (Zip Slip) for Java (Fortify)
Path Manipulation: Zip Entry Overwrite (Zip Slip) for C# (Fortify)
Hard-coded credentials (Hardcoded Secrets) for JavaScript (CodeQL)
Value_Shadowing (Value Shadowing) for C# (Checkmarx)
Use_of_Insufficiently_Random_Values (Insecure Randomness) for C# (Checkmarx)
Use of Insufficiently Random Values (Insecure Randomness) for C# (Snyk)
Insecure Randomness for C# (CodeQL)
Insecure Randomness for C# (Fortify)
May 20, 2024
Mobb Fixer for Checkmarx One GitHub Integration is now available. This integration monitors for `Checkmarx comments in a PR and generates a Mobb Fixer comment in the same PR. Click here for more details.
UI Update: Hovering over an issue name will display the original issue name from the SAST provider. Click here for more details.
New stable fixes released:
HttpOnlyCookies for C# (Checkmarx)
Trust Boundary Violation for C# (Fortify)
Privacy Violation for Java (Fortify)
May 7, 2024
UI Update: Hovering over the (!) tooltip next to the text "Available Fixes" on the Fix Report page will display the number of issues fixed compared to the total issues found in the vulnerability report. Click here for more details.
New stable fixes released:
Just One of Equals() and GetHashCode() Defined for C# (Fortify)
Missing equals or hashcode method for C# (Checkmarx)
WCF Misconfiguration: Throttling Not Enabled for C# (Fortify)
WCF Misconfiguration: Insufficient Logging for C# (Fortify)
Incomplete regular expression for hostnames for JavaScript (CodeQL)
Overly permissive regular expression range for JavaScript (CodeQL)
April 29, 2024
Mobb Broker is now released. Mobb Broker allows users to connect their Mobb organization to self-hosted source code repositories that are not publicly accessible from the internet. Please contact us to learn more.
New feature: Project pages now include a "Language" column that contains information about the languages present in the project.
New feature: All previously committed fixes now include a "Link to commit".
New feature: All fixes now contain a "Fix Info" tab, which contains additional info about the issue as well as fix instructions for the issue type.
A new integration guide has been added for Atlassian Bamboo along with a sample integration YAML
New stable fixes released:
Header Manipulation for C# (Fortify)
Password in Comment for XML (Fortify)
Server-Side Request Forgery for JavaScript (Checkmarx)
April 18, 2024
New stable fixes released:
Prototype Pollution for JavaScript
Insecure Cookie for C#
Cookie is not HttpOnly for C#
Locale Dependent Comparison for Java
Race Condition Format Flaw for Java
Server-Side Request Forgery for C#
Regular Expression Injection for Java
XSS for Java
Poor Error Handling: Overly Broad Catch for Java
Non-final Public Static Field for Java
Missing HSTS Header for JavaScript
Dead Code: Unused Field for Java
March 19, 2024
New stable fixes released:
Insecure Randomness for Javascript
SQL Injection for Javascript
Command Injection for Javascript
Hardcoded Secrets in Javascript
Deprecated Function in Javascript
Null Dereference for C#
Trust Boundary Violations for C#
March 4, 2024
Dashboard with ROI Calculator and Fix Management capabilities released. To see more details, click here.
The ROI Calculator identifies the total savings in cost and time from all automatic fixes
Fix Management dashboard identifies the most effective fixes available across all your projects
Feb 26, 2024
New stable fixes released:
Path Traversal for JavaScript
Error Condition Without Action for Java
HTML Comment in JSP for Java
Default Definer Rights in Package or Object Definition for SQL
Improper Exception Handling for C#
Improper Resource Shutdown or Release for C#
Feb 7, 2024
New stable fixes released:
jQuery Deprecated Symbols for JavaScript
Missing iframe Sandbox for JavaScript
Unsafe Target Blank for JavaScript
Missing Anti-forgery Validation for C#
Insecure Binder Configuration for C#
Overly Broad Catch for C#
January 29, 2024
New stable fix released:
Missing Check Against Null for Java
Added support for Azure Repo - Mobb can now automatically retrieve source code from Azure Repo and commit directly back to an Azure Repo once a fix is ready.
January 26, 2024
New stable fix released:
Regex Injection for Java added
January 22, 2024
Jan 15, 2024
New stable fix released:
Trust Boundary Violations added
Log Forging for Snyk and Fortify added
January 9, 2024
Mobb is now on the Snyk Integrations page
December, 2023
Mobb is now on the AWS Marketplace
May, 2022
Bugsy launched. Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb, the first vendor-agnostic automated security vulnerability remediation tool. Click here to learn more.
Last updated
Was this helpful?